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Part 1. Digital Certificate Manager 


A digital certificate is an electronic credential that you can use to establish proof of 
identity in an electronic transaction. There are an increasing number of uses for 
digital certificates to provide enhanced network security measures. For example 
digital certificates are essential to configuring and using she ecure Sockets Layer 
Using SSL allows you to create secure connections between users and server 
applications across an untrusted network, such as the Internet. SSL provides one of 
the best solutions for protecting the privacy of sensitive data, such as user names 
and passwords, over the Internet. Many iSeries’ services and applications, such as 


FTP, Telnet, HTTP Server for iSeries, and many others, provide SSL support to 
ensure data privacy. 


iSeries provides extensive digital certificate support that allows you to use digital 
certificates as credentials in a number of security applications. In addition to using 
certificates to configure SSL, you can use them as credentials for client 
authentication in both SSL and virtual private network (VPN) transactions. Also, 
you can use digital certificates and their associated security keys to 
Signing objects allows you to detect changes or possible tampering to object 
contents by verifying signatures on the objects to ensure their integrity. 


Capitalizing on the iSeries support for certificates is easy when you use Digital 
Certificate Manager (DCM), a free iSeries feature, to centrally manage certificates 
for your applications. DCM allows you to manage certificates that you obtain from 
any Certificate Authority (CA). Also, you can use DCM to create and operate your 
own Local CA to issue private certificates to applications and users in your 
organization. 


Proper planning and evaluation are the keys to using certificates effectively for 
their added security benefits. You should review these topics to learn more about 
how certificates work and how you can use DCM to manage them and the 
applications that use them: 


What’s new for V5R2) 
Use this information to learn about changes to the Digital Certificate Manager feature 
and the changes to the information topic for this release. 


Print this topic 


Use this page to learn how to print the entire topic as a PDF file. 


Migrate to DCM from an earlier release 

Use this information to learn what tasks you must perform and other considerations 
you need to understand if you are migrating an existing version of DCM to the 
current release version. 


DCM scenarios 

Use this information to review two scenarios that illustrate typical certificate 
implementation schemes to help you plan your own certificate implementation as part 
of your iSeries security policy. Each scenario also provides all needed configuration 
tasks you must perform to employ the scenario as described. 


Use this concept and reference information to better understand what digital 
certificates are and how they work. Learn about the different types of certificates and 
how you can use them as part of your security policy. 
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Plan for DCM 


Use this information to help you decide how and when you should use digital 
certificates to meet your security goals. Use this information to learn about any 
prerequisites you need to install, as well as other requirements that you must consider 
before using DCM. 


Configure DCM 
Use this information to learn how to configure everything you need to ensure that 
you can use DCM to manage your certificates and their keys. 


Manage DCM 

Use this information to learn how to use DCM to manage your certificates and the 
applications that use them. Also, you can learn about how to digitally sign objects and 
how to create and operate your own Certificate Authority. 


Troubleshoot DCM 


Use this information to learn how to resolve some of the more common errors that 
you may experience when using DCM. 


Related information for DCM 


Use this page to find links to other resources for learning more about digital 
certificates, public key infrastructure, Digital Certificate Manager, and other related 
information. 


iSeries: Digital Certificate Manager 


Chapter 1. What’s new for V5R2 


Enhancements to V5R2 Digital Certificate Manager (DCM) and iSeries digital 

certificate capabilities include: 

* Assign certificate function 
This new DCM task allows you to more quickly and easily assign a certificate] to 
one or more applications. You can access this task from either the Manage 
Certificates task list or from the fast path pages Work with server and 
certificates and Work with object signing certificates. This function is available 
for the *SYSTEM and *OBJECTSIGNING certificate stores only. 

* Sign command (*CMD) objects 
You can now use DCM to create digital signatures on command (*CMD) objects 
to provide a means of checking their integrity. Also, you can choose the scope of 
the signature for *CMD objects; you can choose whether to sign the entire *CMD 
object or to sign only the *CMD object’s When you use DCM 
to view the signature on *CMD objects, DCM provides information about the 
scope of the signature. 

¢ APIs for creating user certificates signed by the Local CA without using DCM 
There are now two new that you can use to programmatically issue 
certificates signed by your Local Certificate Authority (CA) to non-iSeries users. 
These APIs allow you to issue certificates to users without iSeries user profiles 
and without the users having to use DCM to individually obtain a certificate for 
client authentication. 


New or enhanced information for this topic includes: 

* Two new [scenarios] that you can use to help you determine how best to employ 
certificates to fulfill your security goals. 

* Reorganized information that makes it easier for you to quickly find the 
information that you need to use DCM. 


To find other information about what’s new or changed this release, see the[Memo] 


fo Users, 
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Chapter 2. Print this topic 


To view or download the PDF version, select |Digital certificate Manager ~ (file 


size is about 468 KB or about 110 pages). 


To save a PDF on your workstation for viewing or printing: 

Open the PDF in your browser (click the link above). 

In the menu of your browser, click File. 

Click Save As... 

Navigate to the directory in which you would like to save the PDF. 
Click Save. 


oP ONS 


If you need Adobe Acrobat Reader to view or print the PDF, you can download a 


copy from the|Adobe Web site 
(a 


(www.adobe.com/prodindex/acrobat/readstep hemi) . 


© Copyright IBM Corp. 1999, 2002 5 


6 iSeries: Digital Certificate Manager 


Chapter 3. Migrate from an earlier version of DCM 


When you migrate from the V4R3 version of Digital Certificate Manager (DCM) to 
V5R2, DCM automatically upgrades your existing local Certificate Authority (CA) 
and system certificate key ring files. DCM upgrades these files, which are named 
default.kyr, into the corresponding certificate store files, which are named 
default.kdb. DCM also migrates all of the valid certificates in the key ring files 
associated with the Hypertext Transfer Protocol (HTTP) and Lightweight Directory 
Access Protocol (LDAP) servers. DCM migrates the valid certificates into the 
*SYSTEM certificate store (default. kdb). 


Note: If you are migrating from a V4R4, V4R5, or V5R1 version of DCM, you do 
not need to perform any migration tasks because the certificate files from 
these versions are compatible with the V5R2 version of DCM. 


Key ring to certificate store migration — V4R3 migration 


During V5R2 DCM installation, the system migrates the following key ring files: 
* DCM’s default key ring files. 

* Key rings that the HTTP Server configuration files use. 

* Key rings that the LDAP Server configuration files use. 


If you use a .kyr file that DCM did not automatically upgrade, DCM converts it to 
a kyr.kdb file when you work with it for the first time in DCM. For example, the 
first time that you specify the file secure. kyr in the DCM user interface, DCM 
converts the file into a new certificate store with a file name of secure. kyr.kdb. 


Note: Key rings are different from certificate stores, so you must convert key ring 
files that DCM did not automatically upgrade by working with them 
through the DCM user interface. Manually changing the file name 
extensions to .kdb results in errors when you subsequently try to work with 
those files through the DCM user interface. 


If you attempt to delete the secure.kyr file when using DCM, DCM actually 
archives it and deletes the secure.kyr.kdb file. 


Default certificate store password 


If the file /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR exists, the system 
migrates this key ring file and any other eligible key ring files into the *SYSTEM 
certificate store. The original password associated with the 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR file is used as the password for the 
*“SYSTEM certificate store. 


If the file /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR does not exist, but there 
are other key ring files eligible for migration (for example, key ring files that the 
HTTP Server configuration files use), the system creates the *SYSTEM certificate 
store with a password of DEFAULT (all uppercase letters) and completes the 
migration. 


For information on errors that may occur during the file migration process and 
information about how to resolve them, see:|Migration errors and recovery 
solutions 
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| Chapter 4. DCM scenarios 


Digital Certificate Manager and the digital certificate support that your iSeries 
provides allows you to use certificates to enhance your security policy in a number 
of different ways. How you choose to use certificates varies based on both your 
business objectives and your security needs. 


Using digital certificates can help you improve your security in a number of ways. 
Digital certificates allow you to use Fi eranae yr (SSL) for secure 
access to Web sites and other Internet services. You can use digital certificates to 
configure your virtual private network (VPN) connections. Also, you can use a 
certificate’s key to digitally sign objects or to verify digital signatures to ensure the 
authenticity of objects. Such digital signatures ensure the reliability of an object’s 
origin and protect the integrity of the object. 


You can further augment system security by using digital certificates (instead of 
user names and passwords) to authenticate and authorize sessions between the 
server and users. Also, you can use DCM to associate a user’s certificate with his 
or her iSeries user profile. The certificate then has the same authorizations and 
permissions as the associated profile. 


Consequently, how you choose to use certificates can be complicated and depends 
on a variety of factors. The scenarios provided in this topic describe some of the 
more common digital certificate security objectives within typical business contexts. 
Each scenario also describes all necessary system and software prerequisites and all 
the configuration tasks that you must perform to implement the scenario. Review 
these scenarios to help you determine how using certificates for increased security 
may best suit your needs: 


Scenario: Use certificates to protect access to public applications and resources 


This scenario describes when and how to use certificates to protect and limit access by 
public users to public or extranet resources and applications. 


Scenario: Use certificates to protect access to internal applications and resources 


This scenario describes when and how to use certificates to protect and restrict which 
resources and applications that internal users can access on your internal servers. 


Scenario: Use certificates to protect access to public applications and 


resources 


Situation 


You work for an insurance company (MyCo., Inc) and are responsible for 
maintaining different applications on your company’s intranet and extranet sites. 
One particular application for which you are responsible is a rate-calculating 
application that allows hundreds of independent agents to generate quotes for 
their clients. Because the information that this application provides is somewhat 
sensitive, you want to make sure that only registered agents can use it. Further, 
you want to eventually provide a more secure method of user access to the 
application than your current user name and password method. You are concerned 
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Objectives 


that unauthorized users could capture this information when it is transmitted over 
an untrusted network. Also, different agents could share this information with each 
other without authorization to do so. 


After some research, you decide that using digital certificates can provide you with 
the security that you need. Using certificates allows you to use Secure Sockets 
Layer (SSL) to protect the transmission of the rate data. Although eventually you 
want all agents to use a certificate to access the application, you know that your 
company and your agents may need some time before this goal can be achieved. 
At this time, you plan to continue the current user name and password 
authentication method because SSL protects the privacy of this sensitive data in 
transmission. 


Based on the type of application and its users and your future goal of certificate 
authentication for users, you decide to use a public certificate from a well known 
Certificate Authority (CA) to configure SSL for your application. 


Scenario advantages 


This scenario has the following advantages: 

* Using digital certificates to configure SSL access to your rate calculation 
application ensures that the information transmitted between the server and 
client is protected and private. 

* Using digital certificates whenever possible for client authentication provides a 
more secure method of identifying authorized users. Even where not possible, 
client authentication by means of a username and password is protected and 
kept private by the SSL session, making the exchange of such sensitive data 
more secure. 

* Using public digital certificates to limit or allow access to your applications and 
data is a practical choice under these or similar conditions: 

— Your data and applications require varying degrees of security. 

— There is a high rate of turnover among your trusted users. 

—- You provide public access to applications and data, such as an Internet web 
site, or an extranet application. 

— You do not want to operate your own Certificate Authority (CA) due to a 
large number of users who access your applications and resources or for other 
administrative reasons. 

* Using a public certificate to configure the rate calculating application for SSL in 
this scenario decreases the amount of configuration that users must perform to 
access the application. Most client software contains CA certificates for most 
well-known CAs. 


In this scenario, MyCo., Inc. wants to use digital certificates to protect the rate 
calculating information that their application provides to authorized public users. 
The company also wants a more secure method of authenticating those users who 
are allowed to access this application. 


The objectives of this scenario are as follows: 

* Company public rate calculating application must use SSL to protect the privacy 
of the data that it provides to users. 

* SSL configuration must be accomplished with public certificates from a 
well-known public Internet Certificate Authority (CA). 
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Details 


Authorized users must provide a valid user name and password to access the 
application in SSL mode. Eventually, authorized users must be able to use one of 
two methods of secure authentication to be granted access to the application. 
Agents must present either a public digital certificate from a well-known 
Certificate Authority (CA) or a valid user name and password. 


The following figure illustrates the network configuraton situation for this scenario: 
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The figure illustrates the following information about the situation for this 
scenario: 


Company public server — iSeries A 


iSeries A is the server that hosts the company’s rate calculating application. 

iSeries A runs OS/400® Version 5 Release 2 (V5R2). 

iSeries A has a cryptographic access provider (5722—AC3) installed. 

iSeries A has Digital Certificate Manager (OS/400 option 34) and IBM® HTTP 

Server for iSeries (5722—DG1) installed and configured. 

iSeries A runs the rate calculating application, which is configured such that it: 

— Requires SSL mode. 

— Uses a public certificate from a well-known Certificate Authority (CA) for SSL 
configuration. 

— Requires user authentication by user name and password. 

iSeries A presents its certificate to initiate an SSL session when Clients B and C 

access the application. 

After initializing the SSL session, iSeries A requests that Clients B and C provide 

a valid user name and password before allowing access to the rate calculating 

application. 


Agent client systems — Client B and Client C 


Clients B and C are independent agents who access the rate calculating 
application. 

Clients B and C have a copy of the well-known CA certificate that issued the 
application certificate installed in their client software. 

Clients B and C access the rate calculating application on iSeries A, which 
presents its certificate to their client software to verify its identity and initiate an 
SSL session. 

Client software on Clients B and C is configured to accept the certificate from 
iSeries A and the SSL session begins. 
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After the SSL session begins, Clients B and C must provide a valid user name 
and password before iSeries A grants access to the application. 


Prerequisites and assumptions 


This scenario depends on the following prerequisites and assumptions: 


1. 


as 


Task steps 


The rate calculating application on iSeries A is a generic application that can be 
configured to use SSL. Most applications, including many iSeries applications, 
provide SSL support. SSL configuration steps vary widely among applications. 
Consequently, this scenario does not provide specific instructions for 
configuring the rate calcuating application to use SSL. This scenario provides 
instructions for configuring and managing the certificates that are necessary for 
any application to use SSL. 

Optionally, the rate calculating application may provide the capability of 
requiring certificates for client authentication. This scenario provides 
instructions for how to use Digital Ceritificate Manager (DCM) to configure 
certificate trust for those applications that provide this support. Because the 
configuration steps for client authentication vary widely among applications, 
this scenario does not provide specific instructions for configuring certificate 
client authentication for the rate calculating application. 

iSeries A meets the [requirements| for installing and using Digital Certificate 
Manager (DCM). 

No one has previously configured or used DCM on iSeries A. 

Whoever uses DCM to perform the tasks in this scenario must have *SECADM 
and *ALLOBJ special authorities for their user profile. 

iSeries A does not have an IBM 4758-023 PCI Cryptographic Coprocessor 
installed. 


To implement this scenario, you must perform these tasks on iSeries A: 


ds 


wo 


oO 


Complete all [prerequisite] steps to install and configure all needed iSeries 
products. 


Use Digital Certificate Manager (DCM) to|create a server certificate} request. 
[Configure] your application to use Secure Sockets Layer (SSL). 
Use DCM to}import and assign|the signed server or client certificate to the 


application ID for your application. 
the application in SSL mode, if necessary. 


Optional task: Use DCM to|define a CA trust list} to enable client authentication 


based on certificates for applications that provide this support. 


Note: The situation that this scenario describes does not require the rate 
calculating application use certificates for client authentication. Many 
applications provide certificate client authentication support; how you 
configure this support varies widely among applications. This optional 
task is provided to help you understand how to use DCM to enable 
certificate trust for client authentication as a foundation for configuring 
your applications’ certificate client authentication support. 


Configuration details 


Complete the following task steps to use certificates to configure protected public 
access to applications and resources as this scenario describes. 
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Step 1: Complete prerequisite tasks to install all needed iSeries products 


You must complete all tasks to install and configure all needed iSeries 
products before you can perform specific configuration tasks for implementing this 
scenario. 


Step 2: Create a server or client certificate request 


To begin the process of using Secure Sockets Layer (SSL) to protect the data 
communication of an application as this scenario describes, you must first obtain a 
digital certificate from a public Certificate Authority (CA). You use Digital 
Certificate Manager (DCM) to create the information that the public CA requires 
for issuing a certificate. 


To begin the process of obtaining your certificate, complete these steps: 
2 


art| DCM. 
In the navigation frame of DCM, select Create New Certificate Store to start 
the guided task and complete a series of forms. These forms guide you through 
the process of creating a certificate store and a certificate that your applications 
can use for SSL sessions. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

Select *SYSTEM as the certificate store to create and click Continue. 

Select Yes to create a certificate as part of creating the *SYSTEM certificate store 

and click Continue. 

Select VeriSign or other Internet Certificate Authority (CA) as the signer of 

the new certificate, and click Continue to display a form that allows you to 

provide identifying information for the new certificate. 

Complete the form and click Continue to display a confirmation page. This 

confirmation page displays the certificate request data that you must provide to 

the public Certificate Authority (CA) that will issue your certificate. The 

Certificate Signing Request (CSR) data consists of the public key and other 

information that you specified for the new certificate. 

Carefully copy and paste the CSR data into the certificate application form, or 

into a separate file, that the public CA requires for requesting a certificate. You 

must use all the CSR data, including both the Begin and End New Certificate 

Request lines. When you exit this page, the data is lost and you cannot recover 

it. 

Send the application form or file to the CA that you have chosen to issue and 

sign your certificate. 

Wait for the CA to return the signed, completed certificate before you continue 

to the next task step for the scenario. 


After the CA returns the signed completed certificate, you can configure your 
application to use SSL, import the certificate into the *SYSTEM certificate store, and 
assign it to your application to use for SSL. 


Step 3: Configure application to use SSL 


When you receive your signed certificate back from the public Certificate Authority 
(CA), you can continue the process of enabling Secure Sockets Layer (SSL) 
communications for your public application. You should configure your application 
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to use SSL prior to working with your signed certificate. Some applications, such 
as the HTTP Server for iSeries generate a unique application ID and register the ID 
with Digital Certificate Manager (DCM) when you configure the application to use 
SSL. You must know the application ID before you can use DCM to assign your 
signed certificate to it and complete the SSL configuration process. 


How you configure your application to use SSL varies based on the application. 
This scenario does not assume a specific source for the rate calculating application 
that it describes because there are a number of ways that MyCo., Inc. could 
provide this application to its agents. 


To configure your application to use SSL, follow the instructions that your 
application documentation provides. Also, you can learn more about configuring 


many common IBM applications to use SSL by reviewing the Information Center 
topic,|Secure applications with SSL 


Step 4: Import and assign the signed public certificate 


After you configure your application to use SSL, you can use Digital Certificate 
Manager (DCM) to import your signed certificate and assign it to your application. 


To import your certificate and assign it to your application to complete the process 

of configuring SSL, follow these steps: 

a DCM. 

2. In the navigation frame, click Select a Certificate Store and select *SYSTEM as 
the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

4. After the navigation frame refreshes, select Manage Certificates to display a list 
of tasks. 

5. From the task list, select Import certificate to begin the process of importing 
the signed certificate into the *SYSTEM certificate store. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

6. Next, select Assign certificate from the Manage Certificates task list to display 

a list of certificates for the current certificate store. 

7. Select a certificate from the list and click Assign to Applications to display a 
list of application definitions for the current certificate store. 

8. Select your application from the list and click Continue. A page displays with 
either a confirmation message for your assignment selection or an error 
message if a problem occurred. 


With these tasks complete, you can start your application in SSL mode and begin 
protecting the privacy of the data that it provides. 


Step 5: Start application in SSL mode 
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After you complete the process of importing and assigning the certificate to your 
application, you may need to end and restart your application in SSL mode. This is 
necessary in some cases because the application may not be able to determine that 
the certificate assignment exists while the application is running. Review the 
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documentation for your application to determine whether you need to restart the 


=e lication or for other specific information about starting the |application in SSL 


Optional step 6: Define a CA trust list for an application that requires certificates for client authentication 


Applications that support the use of certificates for client authentication during a 
Secure Sockets Layer (SSL) session must determine whether to accept a certificate 
as valid proof of identity. One of the criteria that an application uses for 
authenticating a certificate is whether the application trusts the Certificate 
Authority (CA) that issued the certificate. 


The situation that this scenario describes does not require the rate calculating 
application use certificates for client authentication. Many applications provide 
certificate client authentication support; how you configure this support varies 
widely among applications. This optional task is provided to help you understand 
how to use DCM to enable certificate trust for client authentication as a foundation 
for configuring your applications to use certificates for client authentication. 


Before you can define a CA trust list for an application, several conditions must be 

met: 

* The application must support the use of certificates for client authentication. 

* The DCM definition for the application must specify that the application use a 
CA trust list. 


If the definition for an application specifies that the application use a CA trust list, 
you must define the list before the application can perform certificate client 
authentication successfully. This ensures that the application can validate only 
those certificates from CAs that you specify as trusted. If users or a client 
application present a certificate from a CA that is not specified as trusted in the CA 
trust list, the application will not accept it as a basis for valid authentication. 


To use DCM to define a CA trust list for your application, complete these steps: 

1. [Start] DCM. 

2. In the navigation frame, click Select a Certificate Store and select *SYSTEM as 
the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

4. After the navigation frame refreshes, select Manage Certificates to display a list 
of tasks. 

5. From the task list, select Set CA status to display a list of CA certificates. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

6. Select the CA certificate from the list that your application should trust and 
click Enable to display a list of applications that use a CA trust list. 

7. Select the application from the list that should add the selected CA to its trust 
list and click OK. A message displays at the top of the page to indicate that the 
applications you selected will trust the CA and the certificates that it issues. 


You can now configure your application to require certificates for client 


authentication. Follow the instructions provided by the documentation for your 
application. 
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Scenario: Use certificates to protect access to internal applications 


and resources 


Situation 


You are the network administrator for a company (MyCo., Inc.) whose human 
resource department is concerned with such issues as legal matters and privacy of 
records. Company employees have requested that they be able to access their 
personal benefits and health care information online. The company has responded 
to this request by creating an internal web site to provide this information to 
employees. You are responsible for administering this internal web site. 


Because employees are located in two geographically separate offices and some 
employees travel frequently, you are concerned about keeping this information 
private as it travels across the Internet. Also, you traditionally use username and 
password authentication to limit access to company data. Because of the sensitive 
and private nature of this data, you realize that limiting access to it based on 
passwords may not be sufficient. After all, people can share, forget, and even steal 
passwords. 


After some research, you decide that using digital certificates can provide you with 
the security that you need. Using certificates allows you to use Secure Sockets 
Layer (SSL) to protect the transmission of the data. Additionally, you can use 
certificates instead of passwords to more securely authenticate users and limit the 
human resource information that they can access. 


Therefore, you decide to set up a private Local Certificate Authority (CA) and 
issue certificates to all employees and have the employees associate their 
certificates with their iSeries user profiles. This type of private certificate 
implementation allows you to more tightly control access to sensitive data, as well 
as control the privacy of the data by using SSL. Ultimately, by issuing certificates 
yourself, you have increased the probability that your data remains secure and is 
accessible only to specific individuals. 


Scenario advantages 


This scenario has the following advantages: 

* Using digital certificates to configure SSL access to your human resource web 
server ensures that the information transmitted between the server and client is 
protected and private. 

* Using digital certificates for client authentication provides a more secure method 
of identifying authorized users. 

* Using private digital certificates to limit or allow access to your applications and 
data is a practical choice under these or similar conditions: 

— You require a high degree of security, especially in regards to authenticating 
users. 

— You trust the individuals to whom you issue certificates. 

— Your users already have iSeries user profiles for controlling their access to 
applications and data. 

— You want to operate your own Certificate Authority (CA). 

* Using private certificates for client authentication allows you to more easily 
associate the certificate with the authorized user’s iSeries user profile. This 
association of certificate with a user profile allows the HTTP Server to determine 
the certificate owner’s user profile during authentication. The HTTP Server can 
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Objectives 


Details 


then swap to it and run under under that user profile or perform actions for that 
user based on information in the user profile. 


In this scenario, MyCo., Inc. wants to use digital certificates to protect the sensitive 
personal information that their internal human resources web site provides to 
company employees. The company also wants a more secure method of 
authenticating those users who are allowed to access this web site. 


The objectives of this scenario are as follows: 


Company internal human resources web site must use SSL to protect the privacy 
of the data that it provides to users. 

SSL configuration must be accomplished with private certificates from an 
internal Local Certificate Authority (CA). 

Authorized users must provide a valid certificate to access the human resources 
web site in SSL mode. 


The following figure illustrates the network configuraton situation for this scenario: 
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The figure illustrates the following information about the situation for this 
scenario: 


Company human resource web server - iSeries A 


iSeries A is the server that hosts the company’s web-based human resource 

application. 

iSeries A runs OS/400 Version 5 Release 2 (V5R2). 

iSeries A has a cryptographic access provider (5722—AC3) installed. 

iSeries A has Digital Certificate Manager (OS/400 option 34) and IBM HTTP 

Server for iSeries (5722—DG1) installed and configured. 

iSeries A runs the human resource application, which is configured such that it: 

— Requires SSL mode. 

— Uses a private certificate from a Local Certificate Authority (CA) for SSL 
configuration. 

— Requires certificates for client authentication. 

iSeries A presents its certificate to initiate an SSL session when Clients B, C, and 

D access the application. 
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After initializing the SSL session, iSeries A requests that Clients B, C, and D 
provide a valid certificate before allowing access to the human resource 
application. This exchange of certificates is transparent to the users of Clients B, 
C, and D. 


Employee client systems — Client B, Client C, and Client D 


Client B is an employee who works in MyCo’s main office where iSeries A is 
located. 

Client C is an employee who works in MyCo’s secondary office which is 
geographically separated from the main office. 

Client D is an employee who works remotely and travels frequently on company 
business and must be able to securely access the human resources web site 
regardless of physical location. 

Clients B, C and D are company employees who access the human resource 
application. 

Clients B, C, and D all have a copy of the Local CA certificate that issued the 
application certificate installed in their client software. 

Clients B, C, and D access the human resource application on iSeries A, which 
presents its certificate to their client software to verify its identity and initiate an 
SSL session. 

Client software on Clients B, C, and D is configured to accept the certificate from 
iSeries A and the SSL session begins. 

After the SSL session begins, Clients B, D, and D must provide a valid certificate 
before iSeries A grants access to the application and its resources. 


Prerequisites and assumptions 


This scenario depends on the following prerequisites and assumptions: 


1. 


Task steps 
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The IBM HTTP Server for iSeries runs the human resource application on 
iSeries A. There are two types of HTTP Server for iSeries (original and powered 
by Apache) and a significantly revised version of the HTTP Server will be 
available after the publication of this information. Consequently, this scenario 
does not provide specific instructions for configuring the HTTP Server to use 
SSL. This scenario provides instructions for configuring and managing the 
certificates that are necessary for any application to use SSL. 

The HTTP Server provides the capability of requiring certificates for client 
authentication. This scenario provides instructions for using Digital Ceritificate 
Manager (DCM) to configure the certificate management requirements for this 
scenario. However, this scenario does not provide the specific configuration 
steps for configuring certificate client authentication for the HTTP Server. 

The human resources HTTP Server on iSeries A already uses password 
protection. 

iSeries A meets the [requirements| for installing and using Digital Certificate 
Manager (DCM). 

No one has previously configured or used DCM on iSeries A. 

Whoever uses DCM to perform the tasks in this scenario must have *SECADM 
and *ALLOBJ special authorities for their user profile. 

iSeries A does not have an IBM 4758-023 PCI Cryptographic Coprocessor 
installed. 


There are two sets of tasks that you must complete to implement this scenario: One 
set of tasks allows you to set up the human resource application on iSeries A to 
use SSL and require certificates for user authentication. The other set of tasks 
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allows your users on Clients B, C, and D to participate in SSL sessions with the 
human resource application and obtain certificates for user authentication. 


Human resource web server application task steps 


1. Complete all steps to install and configure all needed iSeries 
products. 

2. your human resources HTTP server to use SSL and make a note of 
the application ID for the server instance. 


3. Use Digital Certificate Manager (DCM) to|create and operate a Local CA|and 


use it to issue a certificate for the human resources HTTP server. This guided 
task also ensures that you assign the certificate to the web server application 


and add the CA to the list of those that the application trusts. 
4. Configure the human resources web server to 
authentication 


5. |Start|the human resources HTTP Server in SSL mode. 


To implement this Sn ie must perform these tasks on iSeries A: 


Client configuration task steps 


To implement this scenario, each user (Clients B, C, and D) who will access the 
human_ resource web server on iSeries A must perform these tasks: 


6. |Install a copy of the Local CA certificate|in their browser software. 
7. |Request a certificate] from the Local CA. 


Configuration details 


Complete the following task steps to use certificates to configure protected access 
to internal applications and resources as this scenario describes. 


Step 1: Complete prerequisite tasks to install all needed iSeries products 


You must complete all tasks to install and configure all needed iSeries 
products before you can perform specific configuration tasks for implementing this 
scenario. 


Step 2: Configure the human resources HTTP Server to use SSL 


Secure Sockets Layer (SSL) configuration steps for the human resources HTTP 
Server on iSeries A vary based on whether you are using the original or the 
powered by Apache version. 


For specific information about configuring the HTTP Server (original) to use SSL, 
see (Configure a secure server on HTTP Server! 
For specific information about configuring the HTTP Server (powered _by Apache 


to_use SSL, see|Scenario: JKL enables Secure Sockets Layer (SSL) protection on their 
IHTTP Server (powered by Apache)| This scenario provides all the task steps for 


creating a virtual host and configuring it to use SSL. For the specific steps to 
configure SSL, see the heading "Enable SSL for a virtual host.” 


For additional information on configuring both current and future_versions of the 
HTTP Server for iSeries (original or powered by Apache), see the 
topic. 
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Step 3: Create and operate a Local CA 
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After you configure the human resources HTTP Server to use Secure Sockets Layer 
(SSL), you must configure a certificate for the server to use to initiate SSL. Based 
on the objectives for this scenario, you have chosen to create and operate a Local 
Certificate Authority (CA) to issue a certificate to the server. 


When you use Digital Certificate Manager (DCM) to create a Local CA, you are 
guided through a process that ensures that you configure everything that you need 
to enable SSL for your application. This includes assigning the certificate that the 
Local CA issues to your web server application. Also, you add the Local CA to the 
web server application’s CA trust list. Having the Local CA in the application’s 
trust list ensures that the application can recognize and authenticate users that 
present certificates that the Local CA issues. 


To use Digital Certificate Manager (DCM) to create and operate a Local CA and 
issue_a certificate to your human resources server application, complete these steps: 
1. [Start] DCM. 

2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to 
display a series of forms. These forms guide you through the process of 
creating a Local CA and completing other tasks needed to begin using digital 
certificates for SSL, object signing, and signature verification. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) button at the top of the page to 
access the online help. 

3. Complete the forms for this guided task. In using these forms to perform all 
the tasks that you need to set up a working Local Certificate Authority (CA), 
you: 

a. Provide identifying information for the Local CA. 

b. Install the Local CA certificate on your PC or in your browser so that your 
software can recognize the Local CA and validate certificates that the Local 
CA issues. 

c. Choose the policy data for your Local CA. 


Note: Be sure to select that the Local CA can issue user certificates. 

d. Use the new Local CA to issue a server or client certificate that your 
applications can use for SSL connections. 

e. Select the applications that can use the server or client certificate for SSL 
connections. 


Note: Be sure to select the application ID for your human resources HTTP 
Server. 

f. Use the new Local CA to issue an object signing certificate that applications 
can use to digitally sign objects. This subtask creates the *OBJECTSIGNING 
certificate store; this is the certificate store that you use to manage object 
signing certificates. 


Note: Although this scenario does not use object signing certificates, be sure 
to complete this step. If you cancel at this point in the task, the task 
ends and you have to perform separate tasks to complete your SSL 
certificate configuration.. 

g. Select the applications that should trust the Local CA. 
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Note: Be sure to select the application ID for your human resources HTTP 
Server as one of the applications that trusts the Local CA. 


Now that you have completed the certificate configuration that your web server 
application requires to use SSL, you can configure the web server application to 
require certificates for user authentication. 


Step 4: Configure human resources web server to require certificates for client authentication 


Secure Sockets Layer (SSL) configuration steps for requiring certificates for client 
authentication for the human resources HTTP Server on iSeries A vary based on 
whether you are using the original or the powered by Apache version of the 
application. 


For more specific information about configuring the HTTP Server (original) to 
require certificates for client authentication, see|Create protection setups on HTTP 
Server (original) 


For specific information about configuring the HTTP Server (powered by Apache 


to use certificates for client authentication, see|Scenario: JKL enables Secure Sockets 
Layer (SSL) protection on their HTTP Server (powered by Apache)| This HTTP 


Server scenario provides all the task steps for creating a virtual host and 
configuring it to use SSL and certificates for client authentication. For the specific 
steps to configure SSL and certificates for client authentication, see the heading 
"Enable SSL for a virtual host.” 


For additional information on configuring both current and future_versions of the 
HTTP Server for iSeries (original or powered by Apache), see the 
topic. 


Step 5: Start the human resources web server in SSL mode 


You may need to stop and restart your HTTP Server to ensure that the server is 
able to determine that the certificate assignment exists and use it to initiate SSL 
sessions. 


To stop and start the HTTP Server (original), use the Configuration and 
Administration forms and follow these steps: 

Click Administration. 

Click Manage HTTP servers. 

Select the server. 

Enter optional startup parameters in the field that is provided on the form. 
Click Start. 


gPaon> 


Note: If the server was running when you made certificate assignments, you 
should Stop, then Start the server. Clicking Restart does not always 
ensure that the server is able to determine any certificate changes that 
occurred while it was running.. 


To stop and start the HTTP Server (powered by Apache), use the Configuration 

and Administration forms and follow these steps: 

1. Click Administration. 

2. In the menu at left, click Manage HTTP Servers under General Server 
Administration. 
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3. Select the server that you want to work with, then click Start or Stop. Refer to 
the online help for more information on startup parameters. 


For additional information on managing current and future versions of the HTTP 
Server for iSeries (original or powered by Apache), see the topic. 


With these tasks complete, you can start your human resources application in SSL 
mode and begin protecting the privacy of the data that it provides. 


Step 6: Have users install a copy of the Local CA certificate in their browser software. 


When users access a server that provides a Secure Sockets Layer (SSL) connection, 
the server presents a certificate to the user’s client software as proof of its identity. 
The client software must then validate the server's certificate before the server can 
establish the session. To validate the server certificate, the client software must 
have access to a locally stored copy of the certificate for the Certificate Authority 
(CA) that issued the server certificate. If the server presents a certificate from a 
public Internet CA, the user’s browser or other client software should already have 
a copy of the CA certificate. If, as in this scenario, the server presents a certificate 
from a private Local CA, each user must use Digital Certificate Manager (DCM) to 
install a copy of the Local CA certificate. 


Each user (Clients B, C, and D) must complete these steps to obtain a copy of a 

Local CA certificate: 

1. [Start] DCM. 

2. In the navigation frame, select Install Local CA Certificate on Your PC to 
display a page that allows you to download the Local CA certificate into your 
browser or to store it in a file on your system. 

3. Select the option to install the certificate. This option downloads the Local CA 
certificate as a trusted root in your browser. This ensures that your browser can 
establish secure communications sessions with web servers that use a certificate 
from this CA. Your browser will display a series of windows to help you 
complete the installation. 

4. Click OK to return to the Digital Certificate Manager home page. 


Step 7: Have each user request a certificate from the Local CA 
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In earlier steps, you configured the the human resources web server to require 
certificates for user authentication. Now users must present a valid certificate from 
the Local CA before they are allowed to access the web server. Each user must use 
Digital Certificate Manager (DCM) to obtain a certificate by using the Create 
Certificate task. In order to obtain a certificate from the Local CA, the Local CA 
policy must allow the CA to issue user certificates. 


Each_user (Clients B, C, and D) must complete these steps to obtain a certificate: 

1. [Start] DCM. 

2. In the navigation frame, select Create Certificate. 

3. Select User certificate as the type of certificate to create. A form displays so 
that you can provide identifying information for the certificate. 

4. Complete the form and click Continue. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 
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5. At this point, DCM works with your browser to create the private and public 
key for the certificate. Your browser may display windows to guide you 
through this process. Follow the browser’s instructions for these tasks. After the 
browser generates the keys, a confirmation page displays to indicate that DCM 
created the certificate. 

6. Install the new certificate in your browser software. Your browser may display 
windows to guide you through this process. Follow the instructions that the 
browser gives to complete this task. 

7. Click OK to finish the task. 


During processing, the Digital Certificate Manager automatically associates the 
certificate with your iSeries user profile. 
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Chapter 5. Digital certificate concepts 


Before you start using digital certificates to enhance your system and network 
security policy, you should understand what they are and what security benefits 
they provide. 


A digital certificate is a digital credential that validates the identity of the 
certificate’s owner, much as a passport does. A trusted party, called a Certificate 
Authority (CA) issues digital certificates to users and server or client applications. 
The trust in the CA is the foundation of trust in the certificate as a valid credential. 


To learn more about digital certificate concepts, review these topics: 


Distinguished name 
Read this information to learn more the identification characteristics of digital 
certificates. 


Digital signatures| 
Read this information to learn what digital signatures are and how they work to 
ensure object integrity. 


ia] 


ublic-private key pair 
Read this information to learn more the security keys associated with digital 
certificates. 


Certificate Authority (CA) 


Read this information to learn more about CAs, the entities that issue digital 
certificates. 


CRL locations| 
Read this information to learn what a Certificate Revocation List (CRL) is and how 
they are used in the process of validating and authenticating certificates. 


Certificate stores 
Read this information to learn what a certificate store is and how to use Digital 
Certificate Manager (DCM) to work with them and the certificates that they contain. 


Cryptography 
Read this information to learn what cryptography is and how digital certificates use 
cryptographic functions to provide security. 


Secure Sockets Layer (SSL) 
Read this information for a brief description of SSL. 


Distinguished name 


Each CA has a policy to determine what identifying information the CA requires to 
issue a certificate. Some public Internet Certificate Authorities may require little 
information, such as a name and e-mail address. Other public CAs may require 
more information and require stricter proof of that identifying information before 
issuing a certificate. For example, CAs that support Public Key Infrastructure 
Exchange (PKIX) standards, may require that the requester verify identity 
information through a Registration Authority (RA) before issuing the certificate. 
Consequently, if you plan to accept and use certificates as credentials, you should 
review the identification requirements for a CA to determine whether their 
requirements fit your security needs. 


© Copyright IBM Corp. 1999, 2002 25 


Distinguished name (DN) is a term that describes the identifying information of 
the certificate owner and is part of the certificate itself. Depending on the 
identification policy of the CA that issues a certificate, the DN can include a 
variety of information. You can use Digital Certificate Manager (DCM) to operate a 
private Certificate Authority and issue private certificates. Also, you can use DCM 
to generate the DN information and key pair for certificates that a public Internet 
CA issues for your organization. The DN information that you can provide for 
either type of certificate includes: 

* Certificate owner’s common name 

* Organization 

* Organizational unit 

* City 

* State 

* Country 


When you use DCM to issue private certificates, you can provide additional DN 
information for the certificate, including: 

* Version 4 IP address 

* Fully qualified domain name 

* E-mail address 


This additional information is useful if you [plan to use the certificate|to configure a 


virtual private network (VPN) connection. 


Digital signatures 
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A digital signature on an electronic document or other object is created by using a 
form of Serer ae is equivalent to a personal signature on a written 
document. A digital signature provides proof of the object’s origin and a means by 
which to verify the object’s integrity. A digital certificate owner "signs” an object by 
using the certificate’s private key. The recipient of the object uses the certificate’s 
corresponding public key to decrypt the signature, which verifies the integrity of 
the signed object and verifies the sender as the source. 


A|Certificate Authority|(CA) signs certificates that it issues. This signature consists 


of a data string that is encrypted with the Certificate Authority’s private key. Any 
user can then verify the signature on the certificate by using the Certificate 
Authority’s public key to decrypt the signature. 


A digital signature is an electronic signature that you or an application creates on 
an object by using a digital certificate’s private key. The digital signature on an an 
object provides a unique electronic binding of the identity of the signer (the owner 
of the signing key) to the origin of the object. When you access an object that 
contains a digital signature, you can verify the signature on the object to verify the 
source of the object as valid (for example, that an application you are downloading 
actually comes from an authorized source such as IBM). This verification process 
also allows you to determine whether there have been any unauthorized changes 
to the object since it was signed. 


An example of how a digital signature works 
A software developer has created an iSeries application that he wants to distribute 


over the Internet as a convenient and cost-effective measure for his customers. 
However, he knows that customers are justifiably concerned about downloading 
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programs over the Internet due to the increasing problem of objects that 
masquerade as legitimate programs but really contain harmful programs, such as 
viruses. 


Consequently, he decides to digitally sign the application so that his customers can 
verify that his company is the legitimate source of the application. He uses the 
private key from a digital certificate that he has obtained from a well-known 
public Certificate Authority to sign the application. He then makes it available for 
his customers to download. As part of the download package he includes a copy 
of the digital certificate that he used to sign the object. When a customer 
downloads the application package, the customer can use the certificate’s public 
key to verify the signature on the application. This process allows the customer to 
identify and verify the of the application, as well as ensure that the contents of the 
application object has not been altered since it was signed. 


Public-private key pair 


Every digital certificate has a pair of associated cryptographic keys. This pair of 
keys consists of a private key and a public key. (Signature verification certificates 
are an exception to this rule and have an associated public key only.) 


A public key is part of the owner’s digital certificate and is available for anyone to 
use. A private key, however, is protected by and available only to the owner of the 
key. This limited access ensures that communications that use the key are kept 
secure. 


The owner of a certificate can use these keys to take advantage of the 
cryptographic security features that the keys provide. For example, the certificate 
owner can use a certificate’s private key to "sign” and encrypt data sent between 
users and servers, such as messages, documents, and code objects. The recipient of 
the signed object can then use the public key contained in the signer’s certificate to 
decrypt the signature. such ipiel ienane! ensure the reliability of an object’s 


origin and provide a means of checking the integrity of the object. 


Certificate Authority (CA) 


A Certificate Authority (CA) is a trusted central administrative entity that can issue 
digital certificates to users and servers. The trust in the CA is the foundation of 
trust in the certificate as a valid credential. A CA uses its[private key] to create a 
digital signature] on the certificate that it issues to validate the certificate’s origin. 
Others can use the CA certificate’s public key to verify the authenticity of the 
certificates that the CA issues and signs. 


A CA can be either a public commercial entity, such as VeriSign, or it can be a 
private entity that an organization operates for internal purposes. Several 
businesses provide commercial Certificate Authority services for Internet users. 
Digital Certificate Manager (DCM) allows you to manage certificates from both 
public and private CAs. 


Also, you can use DCM to operate your own private CA to issue private 
certificates to systems and users. When the CA issues a user certificate, DCM 
automatically associates the certificate with the user’s iSeries system user profile. 
This ensures that the access and authorization privileges for the certificate are the 
same as those for the owner’s user profile. 


Trusted root status 


Chapter 5. Digital certificate concepts 27 


The term trusted root refers to a special designation that is given to a Certificate 
Authority certificate. This trusted root designation allows a browser or other 
application to authenticate and accept certificates that the Certificate Authority 
(CA) issues. 


When you download a Certificate Authority’s certificate into your browser, the 
browser allows you to designate it as a trusted root. Other applications that 
support using certificates must also be configured to trust a CA before the 
application can authenticate and trust certificates that a specific CA issues. 


You can use DCM to enable or disable the trust status for a Certificate Authority 
(CA) certificate in the certificate store. When you enable a CA certificate, you can 
specify that applications can use it to authenticate and accept certificates that the 
CA issues. When you disable a CA certificate, you cannot specify that applications 
can use it to authenticate and accept certificates that the CA issues. 


Certificate Authority policy data 


When you create a Certificate Authority (CA) with Digital Certificate Manager, you 
can specify the policy data for the CA. The policy data for a CA describes the 
signing privileges that it has. The policy data determines: 

* Whether the CA can issue and sign user certificates. 

* How long certificates that the CA issues are valid. 


Certificate Revocation List (CRL) Locations 
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A Certificate Revocation List (CRL) is a file that lists all invalid and revoked 
certificates for a specific Certificate Authority (CA). CAs periodically update their 
CRLs and make them available for others to publish in Lightweight Directory 
Access Protocol (LDAP) directories. A few CAs, such as SSH in Finland, publish 
the CRL themselves in LDAP directories that you can access directly. If a CA 
publishes their own CRL, the certificate indicates this by including a CRL 
distribution point extension in the form of a Uniform Resource Identifier (URI). 


Digital Certificate Manager (DCM) allows you to define and {manage CRL location 


information to ensure more stringent authentication for certificates that you use or 
you accept from others. A CRL location definition describes the location of, and 
access information for, the Lightweight Directory Access Protocol (LDAP) server 
that stores the CRL. 


Applications that perform certificate authentication access the CRL location, if one 
is defined, for a specific CA to ensure that the CA has not revoked a specific 
certificate. DCM allows you to define and manage the CRL location information 
that applications need to perform CRL processing during certificate authentication. 
Examples of applications and processes that may perform CRL processing for 
certificate authentication are: the virtual private networking (VPN) Internet Key 
Exchange (IKE) server, Secure Sockets Layer (SSL) enabled-applications, and the 
object signing process. Also, when you define a CRL location and associate it with 
a CA certificate, DCM performs CRL processing as part of the validating process 
for certificates that the specified CA issues. . 
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Certificate stores 


A certificate store is a special key database file that Digital Certificate Manager 
(DCM) uses to store digital certificates. The certificate store also contains the 
certificate’s private key unless you choose to use a 4758 Cryptographic 
Coprocessor to store the key instead. DCM allows you to create and manage 
several types of certificate stores. DCM controls access to certificate stores through 
passwords in conjunction with access control of the IFS directory and the IFS files 
that constitute the certificate store. 


Certificate stores are classified based on the types of certificates that they contain. 
The management tasks that you can perform for each certificate store vary based 
on the type of certificate that the certificate store contains. DCM provides the 
following predefined certificate stores that you can create and manage: 


Local Certificate Authority (CA) 

DCM uses this certificate store to store the local CA certificate and its private key if 
you create a local CA. You can use the certificate in this certificate store to sign 
certificates that you use the local CA to issue. When the local CA issues a certificate, 
DCM puts a copy of the CA certificate (without the private key) in the appropriate 
certificate store (for example, *SYSTEM) for authentication purposes. Applications use 
CA certificates to verify the origination of certificates that they must validate as part 
of the SSL negotiation to grant authorization to resources. 


*SYSTEM 

DCM provides this certificate store for managing server or client certificates that 
applications use to participate in Secure Sockets Layer (SSL) communications sessions. 
IBM iSeries applications (and many other software developers’ applications) are 
written to use certificates in the “SYSTEM certificate store only. When you use DCM to 
create a local CA, DCM creates this certificate store as part of the process. When you 
choose to obtain certificates from a public CA, such as VeriSign, for your server or 
client applications to use, you must create this certificate store. 


*OBJECTSIGNING 

DCM provides this certificate store for managing certificates that you use to digitally 
sign objects. Also, the tasks in this certificate store allow you to create digital 
signatures on objects, as well as view and verify signatures on objects. When you use 
DCM to create a local CA, DCM creates this certificate store as part of the process. 
When you choose to obtain certificates from a public CA, such as VeriSign, for signing 
objects, you must create this certificate store. 


*SIGNATUREVERIFICATION 

DCM provides this certificate store for managing certificates that you use to verify the 
authenticity of digital signatures on objects. To verify a digital signature, this 
certificate store must contain a copy of the certificate that signed the object. The 
certificate store must also contain a copy of the CA certificate for the CA that issued 
the object signing certificate. You obtain these certificate either by exporting object 
signing certificates on the current system into the store or by importing certificates 
that you receive from the object signer. 


Other System Certificate Store 

This certificate store provides an alternate storage location for server or client 
certificates that you use for SSL sessions. Other System Certificate Stores are 
user-defined secondary certificate stores for SSL certificates. The Other System 
Certificate Store option allows you to manage certificates for applications that you or 
others write that use the SSL_Init API to programmatically access and use a certificate 
to establish an SSL session. This API allows an application to use the default 
certificate for a certificate store rather than a certificate that you specifically identify. 
Most commonly, you use this certificate store when migrating certificates from a prior 
release of DCM, or to create a special subset of certificates for SSL use. 
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Note: If you have a 4758 PCI Cryptographic Coprocessor installed on your iSeries 
server, you can choose other private key storage options for your certificates 
(with the exception of object signing certificates). You can elect to store the 
private key on the coprocessor itself or use the coprocessor to encrypt the 
private key and store it in a special key file instead of in a certificate store. 


DCM controls access to certificate stores through passwords. DCM also maintains 
access control of the integrated file system directory and the files that constitute 
the certificate stores. The Local Certificate Authority (CA), *SYSTEM, 
*OBJECTSIGNING, and *SIGNATUREVERIFICATION certificate stores must be 
located in the specific paths within the integrated file system, Other System 
Certificate stores can be located anywhere in the integrated file system. 


Cryptography 


Cryptography is the science of keeping data secure. Cryptography allows you to 
store information or to communicate with other parties while preventing 
noninvolved parties from understanding the stored information or understanding 
the communication. Encryption transforms understandable text into an 
unintelligible piece of data (ciphertext). Decrypting restores the understandable text 
from the unintelligible data. Both processes involve a mathematical formula or 
algorithm and a secret sequence of data (the key). 


There are two types of cryptography: 

* In shared or secret key (symmetric) cryptography, one key is a shared secret 
between two communicating parties. Encryption and decryption both use the 
same key. 

* In public key (asymmetric) cryptography, encryption and decryption each use 
different keys. A party has pair of keys consistining of a public key and a 
private key. The public key is freely distributed, usually within a digital 
certificate, while the private key is securely held by the owner. The two keys are 
mathematically related, but it is virtually impossible to derive the private key 
from the public key. An object, such as a message, that is encrypted with 
someone’s public key can be decrypted only with the associated private key. 
Alternately, a server or user can use a private key to “sign” an_object and the 
receiver can use the corresponding public key to decrypt the igital signature to 


verify the object’s source and integrity. 


Secure Sockets Layer (SSL) 


The Secure Sockets Layer (SSL), originally created by Netscape, is the industry 
standard for session encryption between clients and servers. SSL uses asymmetric, 
or public iO accrmrners to encrypt the session between a server and client. The 
client and server applications negotiate this session key during an exchange of 
digital certificates. The key expires automatically after 24 hours, and the SSL 
process creates a different key for each server connection and each client. 


Consequently, even if unauthorized users intercept and decrypt a session key 
(which is unlikely), they cannot use it to eavesdrop on later sessions. 
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Chapter 6. Plan for DCM 


To use Digital Certificate Manager (DCM) to effectively manage your company’s 
digital certificates, you must have an overall plan for how you will use digital 
certificates as part of your security policy. 


To learn more about how to plan for using DCM and to better understand how 
digital certificates can fit into your security policy, review these topics: 


Requirements for using DCM 
Read this to learn what software you must install and other information that you need 
to set up your system to use DCM. 


Types of digital certificates 


Use this information to learn about the different types of certificates that you can use 
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ublic certificates versus private certificates 
Use this information to learn how to determine which type of certificate best suits 
your business needs once your decide how you want to use certificates to take 
advantage of the additional security that they provide. You can use certificates from a 
public CA or you can create and operate a private CA to issue certificates. How you 
choose to obtain your certificates depends on how you plan to use them. 


Digital certificates for Secure Sockets Layer (SSL) communication 
Use this information to learn how to use certificates so that your applications can 
establish secure communication sessions. 


Digital certificates for user authentication 
Use this information to learn how to use certificates to provide a means of more 
strongly authenticating users who access iSeries server resources. 


Digital certificates for authenticating virtual private network (VPN) connections 
Use this information to learn how to use certificates as part of configuring a VPN 
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Digital certificates for signing objects| 
Use this information to learn how to use certificates to ensure an object’s integrity or 
to verify the digital signature on an object to verify its authenticity. 


Digital certificates for verifying object signatures 
Use this information to learn how to use certificates to verify the digital signature on 
an object to verify its authenticity. 


DCM set up requirements 


Digital Certificate Manager (DCM) is a free iSeries feature that allows you to 
centrally manage digital certificates for your applications. To use DCM successfully, 
ensure that you do the following: 

* Install the cryptographic access provider licensed program (5722—AC3). This 
cryptographic product determines the maximum key length that is permitted for 
cryptographic algorithms based on export and import regulations. You must 
install this product before you can create certificates. 

* Install option 34 of OS/400. This is the browser-based DCM feature. 

* Install the IBM HTTP Server for iSeries (5722—DG1) and start the *ADMIN server 
instance. 

* Ensure that TCP is configured for your system so that you can use a web 
browser and the HTTP Server *ADMIN instance to access the DCM feature. 
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Note: You will not be able to create certificates unless you install all the required 


products. If a required product is not installed, DCM displays an error 
message instructing you to install the missing component. 


Types of digital certificates 
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There are several classifications of digital certificates. These classifications describe 
how the certificate is used. You can use Digital Certificate Manager (DCM) to 
manage the following types of certificates: 


Certificate Authority (CA) certificates 

A Certificate Authority certificate is a digital credential that validates the identity of 
the Certificate Authority (CA) that owns the certificate. The Certificate Authority’s 
certificate contains identifying information about the Certificate Authority, as well as 
its public key. Others can use the CA certificate’s public key to verify the authenticity 
of the certificates that the CA issues and signs. A Certificate Authority certificate can 
be signed by another CA, such as VeriSign, or can be self-signed if it is an 
independent entity. A CA that you create in Digital Certificate Manager is an 
independent entity. Others can use the CA certificate’s public key to verify the 
authenticity of the certificates that the CA issues and signs. To use a certificate for 
SSL, signing objects, or verifying object signatures, you must also have a copy of the 
CA certificate for the CA that issued the certificate. 


Server or client certificates 

A server or client certificate is a digital credential that identifies the server or client 
application that uses the certificate for secure communications. Server or client 
certificates contain identifying information about the organization that owns the 
application, such as the system’s distinguished name. The certificate also contains the 
system’s public key. A server must have a digital certificate to use the[Secure Sockets] 
[Layer] (SSL) for secure communications. Applications that support digital certificates 
can examine a server's certificate to verify the identity of the server when the client 
accesses the server. The application can then use the authentication of the certificate as 
the basis for initiating an SSL-encrypted session between the client and the server. You 
can manage these types of certificates from the *SYSTEM certificate store only. 


Object signing certificates 

An object signing certificate is a certificate that you use to digitally “sign” an object. 
By signing the object, you provide a means by which you can verify both the object’s 
integrity and the origination or ownership of the object. You can use the certificate to 
sign a variety of objects, including most objects in the Integrated File System (IFS) and 
*CMD objects. You can find a complete list of signable objects in the Object signing 
and signature verification topic. When you use an object signing certificate’s private 
key to sign an object, the receiver of the object must have access to a copy of the 
corresponding signature verification certificate in order to properly authenticate the 
object signature. You can manage these types of certificates from the 
*OBJECTSIGNING certificate store only. 


Signature verification certificates 

A signature verification certificate is a copy of an object signing certificate without 
that certificate’s private key. You use the signature verification certificate’s public key 
to authenticate the digital signature created with an object signing certificate. Verifying 
the signature allows you to determine the origin of the object and whether it has been 
altered since it was signed. You can manage these types of certificates from the 
*SIGNATUREVERIFICATION certificate store only. 
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User certificates 

A user certificate is a digital credential that validates the identity of the client or user 
that owns the certificate. Many applications now provide support that allows you to 
use certificates to authenticate users to resources instead of user names and 
passwords. Digital Certificate Manager (DCM) automatically associates user 
certificates that your private CA issues with the user’s iSeries user profile. You can 
also use DCM to associate user certificates that other Certificate Authorities issue with 
the user’s iSeries user profile. 


When you use Digital Certificate Manager (DCM) to manage your certificates, 
DCM organizes them by these classifications and places them and their associated 
private keys in a|certificate store 


Note: If you have an IBM 4758 PCI Cryptographic Coprocessor installed on your 
iSeries server, you can choose other private key storage options for your 
certificates (with the exception of object signing certificates). You can elect to 
store the private key on the coprocessor itself. Or, you can use the 
coprocessor to encrypt the private key and store it in a special key file 
instead of in a certificate store. User certificates and their private keys, 
however, are stored on the user’s system, either in browser software or in a 
file for use by other client software packages. 


Public certificates versus private certificates 


Once you decide to use certificates, you should choose the type of certificate 

implementation that best suits your security needs. The choices that you have for 

obtaining your certificates include: 

* Purchasing your certificates from a public Internet Certificate Authority (CA). 

* Operating your own CA to issue private certificates for your users and 
applications. 

* Using a combination of certificates from public Internet CAs and your own CA. 


Which of these implementation choices you make depends on a number of factors, 
one of the most important being the environment in which the certificates are 
used. Here’s some information to help you better determine which implementation 
choice is right for your business and security needs. 


Using public certificates 


Public Internet CAs issue certificates to anyone who pays the necessary fee. 
However, an Internet CA still requires some proof of identity before it issues a 
certificate. This level of proof varies, though, depending on the identification policy 
of the CA. You should evaluate whether the stringency of the identification policy 
of the CA suits your security needs before deciding to obtain certificates from the 
CA or to trust the certificates that it issues. As Public Key Infrastructure for X.509 
(PKIX) standards have evolved, some newer public CAs now provide much more 
stringent identification standards for issuing certificates. While the process for 
obtaining certificates from such PKIX CAs is more involved, the certificates the CA 
issues provide better assurance for securing access to applications by specific users. 
Digital Certificate Manager (DCM) allows you to use and manage certificates from 
PKIX CAs that use these new certificate standards. 


You must also consider the cost associated with using a public CA to issue 


certificates. If you need certificates to issue to a limited number of server or client 
applications and users, cost may not be an important factor for you. However, cost 
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can be particularly important if you have a large number of private users that need 
public certificates for client authentication. In this case, you should also consider 
the administrative and programming effort needed to configure server applications 
to accept only a specific subset of certificates that a public CA issues. 


Using certificates from a public CA may save you time and resources because 
many server, client, and user applications are configured to recognize most of the 
well-known public CAs. Also, other companies and users may recognize and trust 
certificates that a well-known public CA issues more than those that your private 
CA issues. 


Using private certificates 


If you create your own Local CA, you can issue certificates to systems and users 
within a more limited scope, such as within your company or organization. 
Creating and maintaining your own CA allows you to issue certificates only to 
those users who are trusted members of your group. This provides better security 
because you can control who has certificates, and therefore who has access to your 
resources, more stringently. A potential disadvantage of maintaining your own 
Local CA is the amount of time and resources that you must invest. However, 
Digital Certificate Manager (DCM) makes this process easier for you. 


When you use a Local CA to issue certificates to users for client authentication, 
you should decide whether you want your users’ certificates to be associated_with 


iSeries user profiles. You can have users|obtain their certificates from the Local CA 
fhrough DCMI 


hrough DCM}if you want their certificates to be associated with an iSeries user 
profile. Or, beginning in V5R2, you can|use APIs to programmatically issue 
eee eee that these users do not have to have an iSeries 
user profile to use private certificates for client authentication. 


Note: No matter which CA you use to issue your certificates, the system 
administrator controls which CAs should be trusted by applications on his 
system. If a copy of a certificate for a well-known CA can be found in your 
browser, your browser can be set to trust server certificates that were issued 
by that CA. However, if that CA certificate is not in your *SYSTEM 
certificate store, your server can not trust user or client certificates that were 
issued by that CA. To trust user certificates that are issued by a CA, you 
need to get a copy of the CA certificate from the CA. It must be in the 
correct file format and you must add that certificate to your DCM certificate 
store. 


You may find it helpful to review some common certificate usage [scenarios] to help 
you choose whether using public or private certificates best suits your business 
and security needs. 


Related tasks 


After you decide how you want to use certificates and which type to use, review 
these procedures to learn more about how to use Digital Certificate Manager to put 
your plan into action: 


* |Creating and operating a private CA/describes the tasks that you must perform 


should you choose to operate a CA to issue private certificates. 


* |Managing certificates from a public Internet CA}describes the tasks that you 


must perform to use certificates from a well-known public CA, including a PKIX 
CA. 
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* {Using a Local CA on other iSeries servers| describes the tasks that you must 


perform if you want to use certificates from a private CA on more than one 
system. 


Digital certificates for SSL secure communications 


You _can use digital certificates to}configure applications to use the Secure Sockets 


Layer (SSL)| for secure communications sessions. To establish an SSL session, your 
server always provides a copy of its certificate for validation by the client that 
requests a connection. Using an SSL connection: 


* Assures the client or end-user that your site is authentic. 


* Provides an encrypted communications session to ensure that data that passes 
over the connection remains private. 


The server and client applications work together as follows to ensure data security: 


1. The server application presents the certificate to the client (user) application as 
proof of the server’s identity. 


2. The client application verifies the server’s identity against a copy of the issuing 
Certificate Authority certificate. (The client application must have access to a 
locally stored copy of the relevant CA certificate.) 


3. The server and client applications agree on a symmetric key for encryption and 
use it to encrypt the communications session. 


4. Optionally, the server now can require the client to provide proof of identify 
before allowing access to the requested resources. To use certificates as proof of 
identity, the communicating applications must Sapper acing orien fo 


SSL uses asymmetric key (public key) algorithms during SSL handshake processing 
to negotiate a symmetric key that is subsequently used for encrypting and 
decrypting the application’s data for that particular SSL session. This means that 
your server and the client use different session keys, which automatically expire 
after a set amount of time, for each connection. In the unlikely event that someone 
intercepts and decrypts a particular session key, that session key cannot be used to 
deduce any future keys. 


Digital certificates for user authentication 


Traditionally, users receive access to resources from an application or system based 
on their user name and password. You can further augment system security by 
using digital certificates (instead of user names and passwords) to authenticate and 
authorize sessions between many server applications and users. Also, you can use 
Digital Certificate Manager (DCM) to associate a user’s certificate with that user’s 
iSeries user profile. The certificate then has the same authorizations_and 
permissions as the associated profile. Beginning in V5R2, you can [use APIs| to 
programmatically use your private Local Certificate Authority to issue certificates 
to non-iSeries users. These APIs provide you with the ability to issue private 
certificates to users when you do not want these users to have an iSeries user 
profile. 


A digital certificate acts as an electronic credential and verifies that the person 
presenting it is truly who she claims to be. In this respect, a certificate is similar to 
a passport. Both establish an individual’s identity, contain a unique number for 
identification purposes, and have a recognizable issuing authority that verifies the 
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credential as authentic. In the case of a certificate, a Certificate Authority (CA) 
functions as the trusted, third party that issues the certificate and verifies it as an 
authentic credential. 


For authentication purposes, certificates make use of a public key and a related 
private key. The issuing CA binds these keys, along with other information about 
the certificate owner, to the certificate itself for identification purposes. 


An increasing number of applications now provide support for using certificates 
for client authentication during an SSL session. Currently, these iSeries applications 
provide client authentication certificate support: 

* Telnet server 

* IBM HTTP Server (original and powered by Apache) 

* Directory Services (LDAP) server 

* Management Central 

* Client Access Express (including iSeries Navigator) 

¢ FTP server 


Over time, additional applications may provide client authentication certificate 
support; review the documentation for specific applications to determine whether 
they provide this support. 


Certificates can provide a stronger means of authenticating users for several 

reasons: 

* There is the possibility that an individual might forget his or her password. 
Therefore, users must memorize or record their user names and passwords to 
ensure that they remember them. As a result, unauthorized users may more 
readily obtain user names and passwords from authorized users. Because 
certificates are stored in a file or other electronic location, client applications 
(rather than the user) handle accessing and presenting the certificate for 
authentication. This ensures users are less likely to share certificates with 
unauthorized users unless unauthorized users have access to the user’s system. 
Also, certificates can be installed on smart cards as an additional means of 
protecting them from unauthorized usage. 

* A certificate contains a private key that is never sent with the certificate for 
identification. Instead, the system uses this key during encryption and 
decryption processing. Others can use the certificate’s corresponding public key 
to verify the identity of the sender of objects that are signed with the private 
key. 

* Many systems require passwords that are 8 characters or shorter in length, 
making these passwords more vulnerable to guessing attacks. A certificate’s 
cryptographic keys are hundreds of characters long. This length, along with their 
random nature, makes cryptographic keys much harder to guess than 
passwords. 

* Digital certificate keys provide several potential uses that passwords cannot 
provide, such as data integrity and privacy. You can use certificates and their 
associated keys to: 

— Assure data integrity by detecting changes to data. 

— Prove that a particular action was indeed performed. This is called 
nonrepudiation. 

— Ensure the privacy of data transfers by using the Secure Sockets Layer (SSL) 
to encrypt communication sessions. 


To learn more about configuring iSeries server applications to _use certificates for 
client authentication during an SSL session, see [Securing applications with SSL 
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Digital certificates for VPN connections 
You can use digital certificates as a means of|establishing an iSeries virtual private 
network (VPN) connection! Both endpoints of a dynamic VPN connection must be 


able to authenticate each other before activating the connection. Endpoint 
authentication is done by the Internet Key Exchange (IKE) server on each end. 


After successful authentication, the IKE servers then negotiate the encryption 
methodologies and algorithms they will use to secure the VPN connection. 


Prior to V5R1, the IKE servers could authenticate each other through the use of a 
pre-shared key only. Using a pre-shared key is less secure because you must 
communicate this key manually to the administrator of the other endpoint for your 
VPN. Consequently, there is a possibility that the key could be exposed to others 
during the process of communicating the key. 


You can avoid this risk by using digital certificates to authenticate the endpoints 
instead of using a pre-shared key. The IKE server can authenticate the other 
server's certificate to establish a connection to negotiate the encryption 
methodologies and algorithms the servers will use to secure the connection. 


You can use Digital Certificate Manager (DCM) to manage the certificates that your 
IKE server uses for establishing a dynamic VPN connection. You_ must first decide 


whether to use |public certificates versus issuing private certificates|for your IKE 


server. 


Some VPN implementations require that the certificate contain alternative subject 
name information, such as a domain name or an e-mail address, in addition to the 
standard distinguished name information. When you use the DCM utility’s private 
CA to issue a certificate you can specify alternative subject name information for 
the certificate. Specifying this information ensures that your iSeries VPN 
connection is compatible with other VPN implementations that may require it for 
authentication. 


To learn more about how to manage certificates for your VPN connections, review 
these resources: 


* If you have never used DCM to manage certificates before, these topics will help 
you get started: 


— |Creating and operating a Local, private CA}describes how to use DCM to 


issue private certificates for your applications. 


— |Managing certificates from a public Internet CA}describes how to use DCM to 


work with certificates from a public CA. 


* If you currently use DCM to manage certificates for other applications, review 
these resources to learn how to specify that an application use an existing 
certificate and which certificates the application can accept and authenticate: 


— |Managing the certificate assignment for an application| describes how to use 


DCM to assign an existing certificate to an application, such as your IKE 
server. 


— |Defining a CA trust list for an application} describes how to specify which 


CAs an application can trust when the application accepts certificates for 
client (or VPN) authentication. 
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Digital certificates for signing objects 


Beginning in V5R1, OS/400 provides support for using certificates to digitally 
"sign" objects. Digitally signing objects provides a way to verify both the integrity 
of the object’s contents and its source of origin. Object signing support augments 
traditional iSeries system tools for controlling who can change objects. Traditional 
controls cannot protect an object from unauthorized tampering while the object is 
in transit across the Internet or other untrusted network, or while the object is 
stored on a non-iSeries system. Also, traditional controls cannot always determine 
whether unauthorized changes to or tampering with an object has occurred. Using 
digital signatures on objects provides a sure means of detecting changes to the 
signed objects. 


Placing a digital signature on an object consists of using a certificate’s private key 
to add an encrypted mathematical summary of the data in an object. The signature 
protects the data from unauthorized changes. The object and its contents are not 
encrypted and made private by the digital signature; however, the summary itself 
is encrypted to prevent unauthorized changes to it. Anyone who wants to ensure 
that the object has not been changed in transit and that the object originated from 
an accepted, legitimate source can use the signing certificate’s public key to verify 
the original digital signature. If the signature no longer matches, the data may 
have been altered. In such a case, the recipient can avoid using the object and can 
instead contact the signer to obtain another copy of the signed object. 


If you decide that using digital signatures fits your security needs and policies, 
ou should evaluate whether you should a cree TEES 
If you intend to distribute objects to users in the general public, 
you should consider using certificates from a well-known public Certificate 
Authority (CA) to sign objects. Using public certificates ensures that others can 
easily and inexpensively verify the signatures that you place on objects that you 
distribute to them. If, however, you intend to distribute objects solely within your 
organization, you may prefer to use Digital Certificate Manager (DCM) to operate 
your own Local CA to issue certificates for signing objects. Using private 
certificates from a Local CA to sign objects is less expensive than purchasing 
certificates from a well-known public CA. 


The signature on an object represents the system that signed the object, not a 
specific user on that system (although the user must have the appropriate 
authority to use the certificate for signing objects). You use Digital Certificate 


Manager (DCM) to manage the certificates that you_use to sign objects_and to 
verify object signatures. You can also use DCM to]sign objects}and to |verify object 


Digital certificates for verifying object signatures 
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Beginning in V5R1, iSeries provides support for using certificates to verify digital 
signatures on objects. Anyone who wants to ensure that a signed object has not 
been changed in transit and that the object originated from an accepted, legitimate 
source can use the signing certificate’s public key to verify the original digital 
signature. If the signature no longer matches, the data may have been altered. In 
such a case, the recipient can avoid using the object and can instead contact the 
signer to obtain another copy of the signed object. 


The signature on an object represents the system that signed the object, not a 
specific user on that system. As part of the process of verifying digital signatures, 
you must decide which Certificate Authorities you trust and which certificates you 
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trust for signing objects. When you elect to trust a CA, you can elect whether to 
trust signatures that someone creates by using a certificate that the trusted CA 
issued. When you elect not to trust a CA, you also are electing not to trust 
certificates that the CA issues or signatures that someone creates by using those 
certificates. 


Verify object restore (QVFYOBJRST) system value 


If you decide to perform signature verification, one of the first important decisions 
you must make is to determine how important signatures are for objects being 
restored to your system. You control this with a system value called QVFYOBJRST. 
The default setting for this system value allows unsigned objects to be restored, 
but ensures that signed objects can be restored only if the objects have a valid 
signature. The system defines an object as signed only if the object has a signature 
that your system trusts; the system ignores other, “untrusted” signatures on the 
object and treats the object as if it is unsigned. 


There are several values that you can use for the (QVFYOBJRST|system value, 


ranging from ignoring all signatures to requiring valid signatures for all objects 
that the system restores. This system value only affects executable objects that are 
being restored, not save files or IFS files. To learn more about using this and other 
system values, see the[System Value Finder] in the Information Center. 


You use Digital Certificate Manager (DCM) to implement your certificate and CA 


trust decisions as well as to manage the certificates that you _use to verify object 
signatures. You can also use DCM to and tolverify object signatures 
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Chapter 7. Configure DCM 


Digital Certificate Manager (DCM) provides a browser-based user interface that 
you can use to manage digital certificates for your applications and users. The user 
interface is divided into two main frames: a navigation frame and a task frame. 


You use the navigation frame to select the tasks to manage certificates or the 
applications that use them. While some individual tasks appear directly in the 
main navigation frame, most tasks in the navigation frame are organized into 
categories. For example, Manage Certificates is a task category that contains a 
variety of individual guided tasks, such as View certificate, Renew certificate, 
Import certificate, and so forth. If an item in the navigation frame is a category that 
contains more than one task, an arrow appears to the left of it. The arrow indicates 
that when you select the category link, an expanded list of tasks displays so that 
you may choose which task to perform. 


With the exception of the Fast Path category, each task in the navigation frame is a 
guided task that takes you through a series of steps to complete the task quickly 
and easily. The Fast Path category provides a cluster of certificate and application 
management functions which allows experienced DCM users to quickly access a 
variety of related tasks from a central set of pages. 


Which tasks are available in the navigation frame vary based on the|certificate] 
[store] in which you are working. Also, the category and number of tasks that you 
see in the navigation frame vary depending on the authorizations that your iSeries 
user profile has. All tasks for operating a CA, managing the certificates that 
applications use, and other system level tasks are available only to iSeries security 
officers or administrators. The security officer or administrator must have 
*SECADM and *ALLOBJ special authorities to view and use these tasks. Users 
without these special authorities have access to user certificate functions only. 


To learn how to configure DCM and begin using it to manage your certificates, 
review these topics: 


Read this to learn how to access the Digital Certificate Manager feature on your 
iSeries. 


Set up certificates for the first time 


Read this to learn how to begin using DCM to set up everything that you need to 
start using certificates for the first time. Learn how to get started managing certificates 
from a public Internet Certificate Authority (CA) or how to create and operate a 
private Local CA to issue certificates. 


If you would like more educational information about using digital certificates in 
an Internet environment for enhancing your system and network security, the 
VeriSign web site is an excellent resource. The VeriSign web site provides an 
extensive library on digital certificates topics, as well as a number of other Internet 


security subjects. You can access their library at the |VeriSign Help Desk * 
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Start Digital Certificate Manager 


Before you can use any of its functions, you need to start Digital Certificate 
Manager (DCM). Complete these tasks to ensure that you can start DCM 
successfully: 

1. Install 5722 SS1 Option 34. This is Digital Certificate Manager (DCM). 


Install 5722 DG1. This is the IBM HTTP Server for iSeries. 


Install 5722 AC3. This is the cryptography product that V5R2 DCM uses to 
generate a public-private key pair for certificates, to encrypt exported certificate 
files, and decrypt imported certificate files. 
2. Use iSeries Navigator to start the HTTP Server *ADMIN instance: 
a. Start iSeries Navigator. 
b. Double-click your iSeries server in the main tree view. 
c. Double-click Network. 
d. Double-click Servers. 
e. Double-click TCP/IP. 
f. Right-click HTTP Administration. 
g. Click Start. 
3. Start your web browser. 
4. Using your browser, go to the iSeries Tasks page on your system at 
http:/ /your_system_name:2001. 
5. Select Digital Certificate Manager from the list of products on the iSeries Tasks 
page to access the DCM feature. 


If you are [migrating] from an earlier version of DCM, this page will give you the 
details you need to upgrade your system. 


Set up certificates for the first time 


The left frame of Digital Certificate Manager (DCM) is the task navigation frame. 
You can use this frame to select a wide variety of tasks for managing certificates 
and the applications that use them. Which tasks are available depends on which 
certificate store (if any) you have opened and your user profile authority. Most 
tasks are available only if you have *ALLOBJ and *SECADM special authorities. 


When you use Digital Certificate Manager (DCM) for the first time, no certificate 
stores exist (unless you have migrated from a previous version of DCM). 
Consequently, the navigation frame displays only these tasks when you have the 
necessary authorities: 

* Manage User Certificates. 

* Create New Certificate Store. 


* Create a Certificate Authority (CA). (Note: After you use this task to create a 
private CA, this task no longer appears in the list.) 


* Manage CRL Locations. 
* Manage PKIX Request Location. 


Even if certificate stores already exist on your system (for example, you are 

from an earlier version of DCM), DCM displays only a limited number 
of tasks or task categories in the left navigation frame. You must first access the 
appropriate certificate store before you can begin working with most certificate and 
application management tasks. To open a specific certificate store, click Select a 
Certificate Store in the navigation frame. 
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The navigation frame of DCM also provides a Secure Connection button. You can 
use this button to bring up a second browser window to initiate a secure 
connection by using Secure Sockets Layer (SSL). To use this function successfully, 
you must first configure the IBM HTTP Server for iSeries to use SSL to operate in 
secure mode. You must then start the HTTP Server in secure mode. If you have not 
configured and started the HTTP Server for SSL operation, you will see an error 
message and your browser will not start a secure session. 


Getting started 


Although you may want to use certificates to accomplish a number of 
security-related goals, what you do first depends on how you plan to obtain your 


certificates. There are two primary paths that_you can take when you first use 
DCM, based on whether you intend to use |public certificates versus issuing private 
Create and operate a Local CA|to issue certificates to your applications. 
Manage certificates from a public Internet CA|for your applications to use. 


Create and operate a Local CA 


After careful review of your security needs and policies, you have decided to 
operate a Local Certificate Authority (CA) to issue private certificates for your 
applications. You can use Digital Certificate Manager (DCM) to create and operate 
your own Local CA. DCM provides you with a guided task path that takes you 
through the process of creating a CA and using it to issue certificates to your 
applications. The guided task path ensures that you have everything you need to 
begin using digital certificates to configure applications to use SSL and to sign 
objects and verify object signatures. 


Note: To use certificates with the IBM HTTP Server for iSeries, you should create 
and configure your web server prior to working with DCM. When you 
configure a web server to use SSL, an application ID is generated for the 
server. You must make a note of this application ID so that you can use 
DCM to specify which certificate this application should use for SSL. 


Do not end and restart the server until you use DCM to assign a certificate 
to the server. If you end and restart the *ADMIN instance of the web server 
prior to assigning a certificate to it, the server will not start and you will not 
be able to use DCM to assign a certificate to the server. 


To use DCM to create and operate a Local CA, follow these steps: 

; 

2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to 
display a series of forms. These forms guide you through the process of 
creating a Local CA and completing other tasks needed to begin using digital 
certificates for SSL, object signing, and signature verification. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) button at the top of the page to 
access the online help. 

3. Complete all the forms for this guided task. In using these forms to perform all 
the tasks that you need to set up a working Local Certificate Authority (CA), 
you: 

a. Choose how to store the private key for the Local CA certificate. (This step 

is included only if you have an IBM 4758-023 PCI Cryptographic 


Chapter 7. Configure DCM 43 


44 


Coprocessor installed on your iSeries. If your system does not have a 
cryptographic coprocessor, DCM automatically stores the certificate and its 
private key in the Local Certificate Authority (CA) certificate store.) 

b. Provide identifying information for the Local CA. 

c. Install the Local CA certificate on your PC or in your browser so that your 
software can recognize the Local CA and validate certificates that the CA 
issues. 

d. Choose the policy data for your Local CA. 

e. Use the new Local CA to issue a server or client certificate that your 
applications can use for SSL connections. (If your iSeries has an IBM 
4758-023 PCI Cryptographic Coprocessor installed, this step allows you to 
select how to store the private key for the server or client certificate. If your 
system does not have a coprocessor, DCM automatically places the 
certificate and its private key in the *SYSTEM certificate store. DCM creates 
the “SYSTEM certificate store as part of this subtask.) 

f. Select the applications that can use the server or client certificate for SSL 
connections. 


Note: If you used DCM previously to create the “SYSTEM certificate store to 
manage certificates for SSL from a public Internet CA, you do not 
perform this or the previous step. 

g. Use the new Local CA to issue an object signing certificate that applications 
can use to digitally sign objects. This subtask creates the *OBJECTSIGNING 
certificate store; this is the certificate store that you use to manage object 
signing certificates. 

h. Select the applications that can use the object signing certificate to place 
digital signatures on objects. 


Note: If you used DCM previously to create the *OBJECTSIGNING 
certificate store to manage object signing certificates from a public 
Internet CA, you do not perform this or the previous step. 
i. Select the applications that should trust your Local CA. 


When you finish the guided task, you have everything that you need to begin 


configuring your applications to use SSL|for secure communications. 


After you configure your applications, users that access the applications through 
an SSL connection must use DCM to obtain a copy of the Local CA certificate. Each 
user must have a copy of the certificate so that the user’s client software can use it 
to authenticate the server’s identity as part of the SSL negotiation process. Users 
can use DCM either to copy the Local CA certificate to a file or to download the 
certificate into their browser. How the users store the Local CA certificate depends 
on the client software that they use to establish an SSL connection to an application 


= ai can use this Local CA tol]issue certificates to applications on other iSeries 


systems|in your network. 


To learn more about using DCM to manage user certificates and how users can 
obtain a copy of the Local CA certificate to authenticate certificates the Local CA 
issues, review these topics: 


Manage user certificates 


Learn how your users can use DCM to obtain certificates or associate existing 
certificates with their iSeries user profiles. 
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Use APIs to programmatically issue certificates to non-iSeries users 


Learn how you can use your Local CA to issue private certificates to users without 
associating the certificate with an iSeries user profile. 


Obtain a copy of the private CA certificate 


Learn how to obtain a copy of the private CA certificate and install it on your PC so 
that you can authenticate any server certificates that the CA issues. 


Manage user certificates 

You and your users can use Digital Certificate Manager (DCM) to manage the 
certificates that your users need and use to participate in Secure Sockets Layer 
(SSL) sessions. 


If users access your public or internal servers through an SSL connection, they 
must have a copy of the Certificate Authority (CA) certificate that issued the 
server's certificate. They must have the CA certificate so that their client software 
can validate the authenticity of the server certificate to establish the connection. If 
your server uses a certificate from a public CA, your users’ software should 
already possess a copy of the CA certificate. Consequently, neither you as a DCM 
administrator, nor your users, need take any action before they can participate in 
an SSL session. However, if your server uses a certificate from a private Local CA, 
your users soviet (oben eos of hellincal CA cenicatd betes they can establish 


an SSL session with the server. 


Additionally, if the server application supports and requires client authentication 
through certificates, users must present an acceptable user certificate to access 
resources that the server provides. Depending on your security needs, users can 
present a certificate from a public Internet CA or one that they obtain from a Local 
CA that you operate. If your server application provides access to resources for 
internal users who currently have iSeries user profiles, you can use DCM to add 
their certificates to their user profiles. This association ensures that users have the 
same access and restrictions to resources when presenting certificates as their user 
profile grants or denies. 


Digital Certificate Manager (DCM) allows you to manage certificates that are 
assigned to an iSeries user profile. If you have a user profile with *SECADM and 
*ALLOBJ special authorities, you can manage user profile certificate assignments 
for yourself or for other users. When no certificate store is open, or when the Local 
Certificate Authority (CA) certificate store is open, you can select Manage User 
Certificates in the navigation frame to access the appropriate tasks. If a different 
certificate store is open, user certificate tasks are integrated into the tasks under 
Manage Certificates. 


Users without *SECADM and *ALLOBJ user profile special authorities can manage 
their own certificate assignments only. They can select Manage User Certificates to 
access tasks that allow them to view the certificates associated with their user 
profiles, remove a certificate from their user profiles, or assign a certificate from a 
different CA to their user profiles. Users, regardless of the special authorities for 
their user profiles, can obtain a user certificate from the Local CA by selecting the 
Create Certificate task in the main navigation frame. 


To learn more about how to use DCM to manage and create user certificates, 
review these topics: 
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Create a user certificate 


Use this information to learn how users can use the Local CA to issue a certificate for 
client authentication. 


Assign a user certificate 


Use this information to learn how to associate a certificate that you own with your 
user profile. The certificate may be from a private Local CA on another system or 
from a well-known Internet CA. Before you can assign a certificate to your user 
profile, the issuing CA must be trusted by the server, and the certificate must not 
already be associated with a user profile on the system. 


Create a user certificate: If you want to use digital certificates for user 
authentication, users must have certificates. If you use Digital Certificate Manager 
(DCM) to operate a private Local Certificate Authority (CA), you can use the Local 
CA to issue certificates to each user. Each user must access DCM to obtain a 
certificate by using the Create Certificate task. In order to obtain a certificate from 
the Local CA, the CA policy must allow the CA to issue user certificates. 


To obtain a certificate from the Local CA, complete these steps: 

1 

2. In the navigation frame, select Create Certificate. 

3. Select User certificate as the type of certificate to create. A form displays so 
that you can provide identifying information for the certificate. 

4. Complete the form and click Continue. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

5. At this point, DCM works with your browser to create the private and public 
key for the certificate. Your browser may display windows to guide you 
through this process. Follow the browser’s instructions for these tasks. After the 
browser generates the keys, a confirmation page displays to indicate that DCM 
created the certificate. 

6. Install the new certificate in your browser software. Your browser may display 
windows to guide you through this process. Follow the instructions that the 
browser gives to complete this task. 

7. Click OK to complete the task. 


During processing, the Digital Certificate Manager automatically associates the 
certificate with your iSeries user profile. 


If you want a certificate from another CA that a user presents for client 
authentication to have the same authorities as their user profile, the user can use 


DCM tolJassign the certificate] to their user profile. 


Assign a user certificate: If you want to use digital certificates for user 
authentication, users must have certificates. If your users must present certificates 
from a public Internet Certificate Authority (CA), they can use Digital Certificate 
Manager (DCM) to assign these certificates to their user profiles. This allows you 
and the user to use DCM to manage these certificates. 


To use the Assign a user certificate task, you must have a secure session with the 
HTTP Server through which you are accessing Digital Certificate Manager (DCM). 
Whether you have a secure session is determined by the port number in the URL 
that you used to access DCM. If you used port 2001, which is the default port for 
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accessing DCM, you do not have a secure session. Also, the HTTP Server must be 
configured to use SSL before you can switch to a secure session. 


When you select this task, a new browser window displays. If you do not have a 
secure session, DCM prompts you to click Assign a User Certificate to start one. 
DCM then initiates Secure Sockets Layer (SSL) negotiations with your browser. 


As part of these negotiations, your browser may prompt you as to whether to trust 
the Certificate Authority (CA) that issued the certificate that identifies the HTTP 
Server. Also, the browser may prompt you as to whether to accept the server 
certificate itself. 


After you allow the browser to trust the CA and accept the server certificate, the 
server may request that you present a certificate for client authentication. 
Depending on the configuration settings for your browser, your browser may 
prompt you to select a certificate to present for authentication. If your browser 
presents a certificate from a CA that the system accepts as trusted, DCM displays 
the certificate information in a separate window. If you do not present an 
acceptable certificate, the server may prompt you instead for your user name and 
password for authentication before allowing you access. 


Once you establish a secure session, DCM attempts to retrieve an appropriate 
certificate from your browser so that it can associate it with your user profile. If 
DCM successfully retrieves one or more certificates, you can view the certificate 
information and choose to associate the certificate with your user profile. 


If DCM does not display information from a certificate, you were not able to 


provide a certificate that DCM could assign to your user profile. One of several 
user certificate problems|may be responsible. For example, the certificates that your 


browser contains may be associated with your user profile already. 


If you prefer to use a Local CA to issue certificates to your users, users must|create 
la user certificate} instead. 


Use APIs to programmatically issue certificates to non-iSeries 
users 

Beginning in V5R2, there are two new APIs available that you can use to 
programmatically issue certificates to non-iSeries users. In previous releases, when 
you used your Local Certificate Authority (CA) to issue certificates to users, these 
certificates were automatically associated with their iSeries user profiles. 
Consequently, to use the Local CA to issue a certificate to a user for client 
authentication, you had to provide that user with an iSeries user profile. Also, 
when users needed to obtain a certificate from a Local CA for client authentication, 
each user had to use Digital Certificate Manager (DCM) to create the needed 
certificate. Therefore, each user must have a user profile on the iSeries server that 
hosts DCM and a valid signon to that iSeries server. 


Having the certificate associated with a user profile has its advantages, especially 
when internal users are concerned. However, these restrictions and requirements 
made it less practical to use the Local CA to issue user certificates for a large 
number of users, especially when you do not want those users to have an iSeries 
user profile. To avoid providing user profiles to these users, you would need to 
require users to pay for a certificate from a well-known CA if you wanted to 
require certificates for user authentication for your applications. 
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These two new APIs provide support that allows you to provide an interface for 
creating user certificates signed by the Local CA certificate for any user name. This 
certificate will not be associated with a user profile. The user does not need to exist 
on the iSeries server that hosts DCM and the user does not need to use DCM to 
create the certificate. 


There are two APIs, one for each of the predominate browser programs, that you 
can invoke when using Net.Data® to create a program for issuing certificates to 
users. The application that you create must provide the Graphical User Interface 
(GUI) code needed to create the user certificate and to call one of the appropriate 
API to use the Local CA to sign the certificate. 


For more information about using these APIs, see these pages: 
* Generate and Sign User Certificate Request (QYCUGSUC) API. 
* Sign User Certificate Request (QYCUSUC) API. 


Obtain a copy of the private CA certificate 

When you access a server that uses a Secure Sockets Layer (SSL) connection, the 
server presents a certificate to your client software as proof of its identity. Your 
client software must then validate the server’s certificate before the server can 
establish the session. To validate the server certificate, your client software must 
have access to a locally stored copy of the certificate for the Certificate Authority 
(CA) that issued the server certificate. If the server presents a certificate from a 
public Internet CA, your browser or other client software should already have a 
copy of the CA certificate. If, however, the server presents a certificate from a 
private Local CA, you must use Digital Certificate Manager (DCM) to obtain a 
copy of the Local CA certificate. 


You can use DCM to download the Local CA certificate directly into your browser, 
or you can copy the Local CA certificate into a file so that other client software can 
access and use it. If you use both your browser and other applications for secure 
communications, you may need to use both methods to install the Local CA 
certificate. If using both methods, install the certificate in your browser before you 
copy and paste it into a file. 


If the server application requires that you authenticate yourself by presenting a 
certificate from the Local CA, you should download the Local CA certificate into 
your browser pelo bequesting « userceritcatcl um the Local CA. 

To use DCM to obtain a copy of a Local CA certificate, complete these steps: 

1. 

2. In the navigation frame, select Install Local CA Certificate on Your PC to 
display a page that allows you to download the Local CA certificate into your 
browser or to store it in a file on your system. 

3. Select a method for obtaining the Local CA certificate. 

a. Select Install certificate to download the Local CA certificate as a trusted 
root in your browser. This ensures that your browser can establish secure 
communications sessions with servers that use a certificate from this CA. 
Your browser will display a series of windows to help you complete the 
installation. 

b. Select Copy and paste certificate to display a page that contains a specially 
coded copy of the Local CA certificate. Copy the text object shown on the 
page into your clipboard. You must later paste this information into a file. 
This file is used by a PC utility program (such as MKKF or IKEYMAN) to 


store certificates for use by client programs on the PC. Before your client 
applications can recognize and use the Local CA certificate for 
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authentication, you must configure the applications to recognize the 
certificate as a trusted root. Follow the instructions that these applications 
provide for using the file. 

4. Click OK to return to the Digital Certificate Manager home page. 


Manage certificates from a public Internet CA 


After careful review of your security needs and policies, you have decided that 
you want to use certificates from a public Internet Certificate Authority (CA), such 
as VeriSign. For example, you operate a public web site and want to use the Secure 
Sockets Layer (SSL) for secure communication sessions to ensure the privacy of 
certain information transactions. Because the web site is available to the general 
public, you want to use certificates that most web browsers can recognize readily. 


Or, you develop applications for external customers and want to use a public 
certificate to digitally sign the application packages. By signing the application 
package, your customers can be sure that the package came from your company 
and that unauthorized parties have not altered the code while it was in transit. You 
want to use a public certificate so that your customers can easily and inexpensively 
verify the digital signature on the package. You can also use this certificate to 
verify the signature before sending the package to your customers. 


You can use the guided tasks in Digital Certificate Manager (DCM) to centrally 
manage these public certificates and the applications that use them for establishing 
SSL connections, signing objects, or verifying the authenticity of digital signatures 
on objects. 


Manage public certificates 


When you use DCM to manage certificates from a public Internet CA, you must 
first create a certificate store. A certificate store is a special key database file that 
DCM uses to store digital certificates and their associated private keys. DCM 
allows you to create and manage several types of certificate stores based on the 
types of certificates that they contain. 


The type of certificate store that you create, and the subsequent tasks that you 
must perform for managing your certificates and the applications that use them, 
depends on how you plan to use your certificates. To learn how to use DCM to 
create the appropriate certificate store and manage public Internet certificates for 
your applications, review these topics: 


* |Manage public Internet certificates for SSL communications sessions 
Manage public Internet certificates for signing objects 
Manage Internet certificates for verifying object signatures 


DCM also allows you to lmanage certificates] that you obtain from a Public Key 


Infrastructure for X.509 (PKIX) Certificate Authority. 


Manage public Internet certificates for SSL communications 
sessions 

You can use Digital Certificate Manager (DCM) to manage public Internet 
certificates for your applications to use for establishing secure communications 
sessions with the Secure Sockets Layer (SSL). If you do not use DCM to operate 
your own Local Certificate Authority (CA), you must first create the appropriate 
certificate store for managing the public certificates that you use for SSL. This is 
the *SYSTEM certificate store. When you create a certificate store, DCM takes you 
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through the process of creating the certificate request information that you must 
provide to the public CA to obtain a certificate. 


To use DCM to manage and use public Internet certificates so that your 
applications can establish SSL communications sessions, follow these steps: 


1. |Start DCM 


2. In the navigation frame of DCM, select Create New Certificate Store to start 
the guided task and complete a series of forms. These forms guide you 
through the process of creating a certificate store and a certificate that your 
applications can use for SSL sessions. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 


3. Select *SYSTEM as the certificate store to create and click Continue. 


4. Select Yes to create a certificate as part of creating the *SYSTEM certificate 
store and click Continue. 


5. Select VeriSign or other Internet Certificate Authority (CA) as the signer of 
the new certificate, and click Continue to display a form that allows you to 
provide identifying information for the new certificate. 


Note: If your iSeries has an IBM 4758-023 PCI Cryptographic Coprocessor 
installed, DCM allows you to select how to store the private key for the 
certificate as the next task. If your system does not have a coprocessor, 
DCM automatically places the private key in the *SYSTEM certificate 
store. If you need help with selecting how to store the private key, see 
the online help in DCM. 


6. Complete the form and click Continue to display a confirmation page. This 
confirmation page displays the certificate request data that you must provide 
to the public Certificate Authority (CA) that will issue your certificate. The 
Certificate Signing Request (CSR) data consists of the public key and other 
information that you specified for the new certificate. 


7. Carefully copy and paste the CSR data into the certificate application form, or 
into a separate file, that the public CA requires for requesting a certificate. You 
must use all the CSR data, including both the Begin and End New Certificate 
Request lines. When you exit this page, the data is lost and you cannot 
recover it. Send the application form or file to the CA that you have chosen to 
issue and sign your certificate. 


Note: You must wait for the CA to return the signed, completed certificate 
before you can finish this procedure. 


Note: To use certificates with the HTTP Server for iSeries, you should create 
and configure your web server prior to working with DCM to work 
with the signed completed certificate. When you configure a web server 
to use SSL, an application ID is generated for the server. You must 
make a note of this application ID so that you can use DCM to specify 
which certificate this application should use for SSL. 


Do not end and restart the server until you use DCM to assign the 
signed completed certificate to the server. If you end and restart the 
*ADMIN instance of the web server prior to assigning a certificate to it, 
the server will not start and you will not be able to use DCM to assign 
a certificate to the server. 
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8. After the public CA returns your signed certificate, start DCM. 


9. In the navigation frame, click Select a Certificate Store and select *SYSTEM 
as the certificate store to open. 


10. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 


11. After the navigation frame refreshes, select Manage Certificates to display a 
list of tasks. 


12. From the task list, select Import certificate to begin the process of importing 
the signed certificate into the *SYSTEM certificate store. After you finish 
importing the certificate, you can specify the applications that should use it 
for SSL communications. 


13. In the navigation frame, select Manage Applications to display a list of tasks. 


14. From the task list, select Update certificate assignment to display a list of 
SSL-enabled applications for which you can assign a certificate. 


15. Select an application from the list and click Update Certificate Assignment. 


16. Select the certificate that you imported and click Assign New Certificate. 
DCM displays a message to confirm your certificate selection for the 
application. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. If you want an application with this support to be able to 
authenticate certificates before providing access to resources, you must 
define a CA trust list] for the application. This ensures that the 
application can validate only those certificates from CAs that you 
specify as trusted. If a user or a client application presents a certificate 
from a CA that is not specified as trusted in the CA trust list, the 
application will not accept it as a basis for valid authentication. 


When you finish the guided task, you have everything that you need to begin 

Gon figurine your applications use Sollice secure communications. Before users 
can access these applications through an SSL session, they must have a copy of the 
CA certificate for the CA that issued the server certificate. If your certificate is from 
a well-known Internet CA, your users’ client software may already have a copy of 
the necessary CA certificate. If users need to obtain the CA certificate, they should 
access the web site for the CA and follow the directions the site provides. 


Manage public Internet certificates for signing objects 

You can use Digital Certificate Manager (DCM) to manage public Internet 
certificates to digitally sign objects. If you do not use DCM to operate your own 
Local Certificate Authority (CA), you must first create the appropriate certificate 
store for managing the public certificates that you use for signing objects. This is 
the *OBJECTSIGNING certificate store. When you create a certificate store, DCM 
takes you through the process of creating the certificate request information that 
you must provide to the public Internet CA to obtain a certificate. 


Also, to use a certificate to sign objects you must define an application ID. This 
application ID controls how much authority is required for someone to sign objects 
with a specific certificate and provides another level of access control beyond that 
which DCM provides. By default, the application definition requires a user to have 
*ALLOBJ special authority to use the certificate for the application to sign objects. 
(However, you can change the authority the application ID requires by using 
iSeries Navigator.) 
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To use DCM to manage and use public Internet certificates to sign objects, 
complete these tasks: 


1. 
2. 


16. 


In the left-hand navigation frame of DCM, select Create New Certificate Store 
to start the guided task and complete a series of forms. These forms guide 
you through the process of creating a certificate store and a certificate that you 
can use to sign objects. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) button at the top of the page 
to access the online help. 


Select *OBJECTSIGNING as the certificate store to create and click Continue. 


Select Yes to create a certificate as part of creating the certificate store and 
click Continue. 


Select VeriSign or other Internet Certificate Authority (CA) as the signer of 
the new certificate and click Continue. This displays a form that allows you to 
provide identifying information for the new certificate. 


Complete the form and click Continue to display a confirmation page. This 
confirmation page displays the certificate request data that you must provide 
to the public Certificate Authority (CA) that will issue your certificate. The 
Certificate Signing Request (CSR) data consists of the public key and other 
information that you specified for the new certificate. 


. Carefully copy and paste the CSR data into the certificate application form, or 


into a separate file, that the public CA requires for requesting a certificate. You 
must use all the CSR data, including both the Begin and End New Certificate 
Request lines. When you exit this page, the data is lost and you cannot 
recover it. Send the application form or file to the CA that you have chosen to 
issue and sign your certificate. 


Note: You must wait for the CA to return the signed completed certificate 
before you can finish this procedure. 


After the public CA returns your signed certificate, start DCM. 


In the left-hand navigation frame, click Select a Certificate Store and select 
*OBJECTSIGNING as the certificate store to open. 


. When the Certificate Store and Password page displays, provide the password 


that you specified for the certificate store when you created it and click 
Continue. 


. In the navigation frame, select Manage Certificates to display a list of tasks. 
. From the task list, select Import certificate to begin the process of importing 


the signed certificate into the *OBJECTSIGNING certificate store. After you 
finish importing the certificate, you can create an application definition for 
using the certificate to sign objects. 


. After the left-hand navigation frame refreshes, select Manage Applications to 


display a list of tasks. 


. From the task list, select Add application to begin the process of creating an 


object signing application definition to use a certificate to sign objects. 


. Complete the form to define your object signing application and click Add. 


This application definition does not describe an actual application, but rather 
describes the type of objects that you plan to sign with a specific certificate. 
Use the online help to determine how to complete the form. 


Click OK to acknowledge the application definition confirmation message and 
display the Manage Applications task list. 
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17. From the task list, select Update certificate assignment and click Continue to 
display a list of object signing application IDs for which you can assign a 
certificate. 


18. Select your application ID from the list and click Update Certificate 
Assignment. 


19. Select the certificate that you imported and click Assign New Certificate. 


When you finish these tasks, you have everything that you need to begin fsigning| 
objects 


bjects|to ensure their integrity. 


When you distribute signed _objects, those who receive the objects must use a V5R1 
or later version of DCM to Fralidate the signaturelon the objects to ensure that the 
data is unchanged and to verify the identify of the sender. To validate the 
signature, the receiver must have a copy of the signature verification certificate. 


You should provide a copy of this certificate as part of the package of signed 
objects. 


The receiver also must have a copy of the CA certificate for the CA that issued the 
certificate that you used to sign the object. If you signed the objects with a 
certificate from a well-known Internet CA, the receiver’s version of DCM should 
already have a copy of the necessary CA certificate. However, you should provide 
a copy of the CA certificate along with the signed objects if you think the receiver 
may not already have a copy. For example, you should provide a copy of the Local 
CA certificate if you signed the objects with a certificate from a private Local CA. 
For security reasons, you should provide the CA certificate in a separate package 
or publicly make the CA certificate available at the request of those who need it. 


Manage certificates for verifying object signatures 

You can use Digital Certificate Manager (DCM) to manage the signature 
verification certificates that you use to validate digital signatures on objects. To 
you use a certificate’s private key to create the signature. When you 
send the signed object to others, you must include a copy of the certificate that 
signed the object. You do this by using DCM to export the object signing certificate 
(without the certificate’s private key) as a signature verification certificate. You can 
export a signature verification certificate to a file that you can then distribute to 
others. Or, if you want to verify signatures that you create, you can export a 
signature verification certificate into the *SIGNATUREVERIFICATION certificate 
store. 


To validate a signature on an object, you must have a copy of the certificate that 
signed the object. You use the signing certificate’s public key, which the certificate 
contains, to examine and verify the signature that was created with the 
corresponding private key. Therefore, before you can verify the signature on an 
object, you must obtain a copy of the signing certificate from whomever provided 
you with the signed objects. 


You must also have a copy of the Certificate Authority (CA) certificate for the CA 
that issued the certificate that signed the object. You use the CA certificate to verify 
the authenticity of the certificate that signed the object. DCM provides copies of 
CA certificates from most well-known CAs. If, however, the object was signed by a 
certificate from another public CA or a private Local CA, you must obtain a copy 
of the CA certificate before you can verify the object signature. 


To use DCM to verify object signatures, you must first create the appropriate 
certificate store for managing the necessary signature verification certificates; this is 


Chapter 7. Configure DCM 53 


54 


the *SIGNATUREVERIFICATION certificate store. When you create this certificate 
store, DCM automatically populates it with copies of most well-known public CA 
certificates. 


Note: If you want to be able to verify signatures that you created with your own 
object signing certificates, you must create the *SIGNATUREVERIFICATION 
certificate store and copy the certificates from the *OBJECTSIGNING 
certificate store into it. This is true even if you plan to perform signature 
verification from within the *OBJECTSIGNING certificate store. 


To use DCM to manage your signature verification certificates, complete these 
tasks: 


1. |Start DCM 


2. In the left-hand navigation frame of DCM, select Create New Certificate Store 
to start the guided task and complete a series of forms. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) button at the top of the page to 
access the online help. 


3. Select *SIGNATUREVERIFICATION as the certificate store to create and click 
Continue. 


Note: If the *OBJECTSIGNING certificate store exists, at this point DCM will 
prompt you to specify whether to copy the object signing certificates into 
the new certificate store as signature verification certificates. If you want 
to use your existing object signing certificates to verify signatures, you 
should select Yes and click Continue. You must know the password for 
the *OBJECTSIGNING certificate store to copy the certificates from it. 


4. Specify a password for the new certificate store and click Continue to create 
the certificate store. A confirmation page displays to indicate that the certificate 
store was created successfully. Now you can use the store to manage and use 
certificates to verify object signatures. 


Note: If you created this store so that you can verify signatures on objects that 
you signed, you can stop. As you create new object signing certificates, 
you should export them from the *OBJECTSIGNING certificate store into 
this certificate store. If you do not export them, you will not be able to 
verify the signatures that you create with them. 


Note: If you created this certificate store so that you can verify signatures on 
objects that you received from other sources, you should continue with 
this procedure so that you can import the certificates that you need into 
the certificate store. 


5. In the navigation frame, click Select a Certificate Store and select 
*SIGNATUREVERIFICATION as the certificate store to open. 


6. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

7. After the navigation frame refreshes, select Manage Certificates to display a list 
of tasks. 


8. From the task list, select Import certificate. This guided task guides you 
through the process of importing the certificates that you need into the 
certificate store so that you can verify the signature on the objects that you 
received. 
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9. Select the type of certificate that you want to import. Select Signature 
verification to import the certificate that you received with the signed objects 
and complete the import task. 


Note: If the certificate store does not already contain a copy of the CA 
certificate for the CA that issued the signature verification certificate, you 
must import the CA certificate first. You may receive an error when 
importing the signature verification certificate if you do not import the 
CA certificate prior to importing the signature verification certificate. 


You can now use these certificates to |verify object signatures 
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Chapter 8. Manage DCM 


After you configure Digital Certificate Manager (DCM), there are a number of 
certificate management tasks that you will need to perform over time. To learn 
how to use DCM to manage your digital certificates, review these topics: 


Use a Local CA to issue certificates for other iSeries systems 
Learn how to use a private Local CA on one system to issue certificates for use on 
other iSeries systems. 


Manage applications in DCM 

Learn how to use DCM to work with application definitions for SSL-enabled 
applications or object signing applications. This topic provides information about 
creating application definitions and how to manage an application’s certificate 
assignment. You can learn about defining CA trust lists that applications use as the 
basis of accepting certificates for client authentication. 


Validate certificates and applications 


Learn how you can verify the authenticity of a specific certificate before an application 
uses it or accepts it. 


Assign certificates 
Learn how you can quickly assign a certificate to one or more applications to use for 
secure functions. 


Manage CRL locations} Learn how to define and use Certificate Revocation List (CRL) 
locations that applications can use to verify that the certificates they accept are valid. 


Store certificate keys on the IBM 4758 Cryptographic Coprocesso 
Learn how to use an installed coprocessor to provide more secure storage for your 
certificates’ private keys. 


Manage the request location for a PKIX CAI 

Learn how you can use DCM to manage certificates that you obtain from a public 
Internet CA that issues certificates under the Public Key Infrastructure for X.509 
(PKIX) standards. 


Sign objects 
Learn how to use DCM to manage certificates that you use to digitally sign objects to 
ensure their integrity. 


Verify object signatures 
Learn how to use DCM to validate the authenticity of digital signatures on objects. 


Use a Local CA to issue certificates for other iSeries systems 


You may already be using a private Local Certificate Authority (CA) on an iSeries 
system in your network. Now, you want to extend the use of this Local CA to 
another iSeries system in your network. For example, you want your current Local 
CA to issue a server or client certificate for an application on another iSeries 
system to use for SSL communications sessions. Or, you want to use certificates 
from your Local CA on one system to sign objects that you store on another iSeries 
server. 


You can accomplish this goal by using Digital Certificate Manager (DCM). You 


perform some of tasks on the iSeries on which you operate the Local CA and 
perform others on the secondary iSeries system that hosts the applications for 
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which you want to issue certificates. This secondary system is called the target 
system. The tasks that you must perform on the target system depend on that 
system’s release level. 


Note: You can encounter a problem if the iSeries system on which you operate the 
Local CA uses a cryptographic access provider product that provides 
stronger encryption than the target system. (For V5R2 the only 
cryptographic access provider available is 5722-AC3, which is the strongest 
product available. However, in earlier releases, you could install other, 
weaker cryptographic access provider products (5722—AC1, or 5722—AC2) 
that provided lower levels of cryptographic function.) When you export the 
certificate (with its private key), the system encrypts the file to protect its 
contents. If the system uses a stronger cryptographic product than the target 
system, the target system cannot decrypt the file during the import process. 
Consequently, the import may fail or the certificate may not be usable for 
establishing SSL sessions. This is true even if you use a key size for the new 
certificate that is appropriate for use with the cryptographic product on the 
target system. 


You can use your Local CA to issue certificates to other systems, which you can 
then use for signing objects or have applications use for establishing SSL sessions. 
When you use the Local CA to create a certificate for use on another iSeries 
system, the files that DCM creates contain a copy of the Local CA certificate, as 
well as copies of certificates for many public Internet CAs. 


The tasks that you must perform in DCM vary slightly depending on which type 
of certificate that your Local CA issues and the release level and conditions on the 
target system. 


Issue private certificates for use on another V5R2 or V5R1 iSeries system 


58 


To use your Local CA to issue certificates for use on another V5R2 or V5R1 iSeries 
system, : erform these steps on the system that hosts the Local CA: 


1. |Start DCM 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

2. In the navigation frame, select Create Certificate to display a list of certificate 
types that you can use your Local CA to create. 


You do not have to open a certificate store to complete this task. These 
instructions assume either that you are not working within a specific certificate 
store or that you are working within the Local Certificate Authority (CA) 
certificate store. A Local CA must exist on this system before you can perform 
these tasks. 

3. Select the type of certificate that you want the Local CA to issue, and click 
Continue to start the guided task and complete a series of forms. Select either 
to create a server or client certificate for another iSeries (for SSL sessions), or 
an object signing certificate for another iSeries (for use on another system). 


Note: If you are creating an object signing certificate for another system to use, 
that system must be running a V5R1 or later version of OS/400 to use 
the certificate. Because the target system must be at V5R1 or later, DCM 
on the host system does not prompt you to select a target release format 
for the new object signing certificate. 
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4. If you are creating a server or client certificate, select the release level of the 


iSeries system for which you are creating this certificate. Click Continue to 
display a form that allows you to provide identifying information for the new 
certificate. 


Note: The release level that you select determines the format that DCM uses to 
create the new certificate. The amount and type of identifying 
information on the form varies based on the release level that you 
selected. This ensures that the certificate files are compatible with the 
iSeries system that will use the certificate. 

Complete the form and click Continue to display a confirmation page. 


Note: If there is an existing *OBJECTSIGNING or *SYSTEM certificate store on 
the target system, be sure to specify a unique certificate label and unique 
file name for the certificate. Specifying a unique certificate label and file 
name ensures that you can easily import the certificate into the existing 
certificate store on the target system. 

This confirmation page displays the names of the files that DCM created for 

you to transfer to the target system. DCM creates these files based on the 

release level of the target system that you specified. DCM automatically puts a 

copy of the Local CA certificate into these files. 


Note: DCM creates the new certificate in its own certificate store and generates 
two files for you to transfer: a certificate store file (.KDB extension) and a 
request file (.RDB extension). 

Use binary File Transfer Protocol (FTP) or another method to transfer the files 

to the target system. 


Issue private certificates for use on a V4R4 or V4R5 iSeries system 


To use your Local CA to issue certificates for use on a V4R4 or V4R5 iSeries 
system, ; erform these steps on the system that hosts the V5R2 Local CA: 


1. |Start DCM 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

2. In the navigation frame, select Create Certificate to display a list of certificate 
types that you can use your Local CA to create. 


You do not have to open a certificate store to complete this task. These 
instructions assume either that you are not working within a specific certificate 
store or that you are working within the Local Certificate Authority (CA) 
certificate store. A Local CA must exist on this system before you can perform 
these tasks. 

3. Select the type of certificate that you want the Local CA to issue, and click 
Continue to start the guided task and complete a series of forms. 


Note: Because you are creating this certificate for use on a V4R4 or V4R5 
iSeries system, you must choose server or client certificate for another 
iSeries. Target systems with a release level prior to V5R1 cannot use 
object signing certificates. 

4. Select the release level of the iSeries for which you are creating this certificate. 

Click Continue to display a form that allows you to provide identifying 

information for the new certificate. 
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Note: The release level that you select determines the format that DCM uses to 
create the new certificate. The amount and type of identifying 
information on the form varies based on the release level that you 
selected. This ensures that the certificate files are compatible with the 
iSeries system that will use the certificate. 

Complete the form and click Continue to display a confirmation page. 


Note: If there is an existing *SYSTEM certificate store on the target system, be 
sure to specify a unique certificate label and unique file name for the 
certificate. Specifying a unique certificate label and file name ensures that 
you can easily import the certificate into the existing certificate store on 
the target system. 

This confirmation page displays the names of the files that DCM created for 

you to transfer to the target system. DCM creates these files based on the 

release level of the target system that you specified. DCM automatically puts a 

copy of the Local CA certificate into these files. 


Note: DCM creates the new certificate in its own certificate store and generates 
two files for you to transfer: a certificate store file (.KDB extension) and a 
request file (.RDB extension). 


Note: If you plan to use the certificates in these files in an existing *SYSTEM 


11. 


12. 
13. 


14. 


certificate store on a V4R4 or V4R5 target system, you cannot import the 
Local CA certificate directly from the .KDB and .RDB files. This is because the 
CA certificate is not in a format that the DCM import function can recognize 
and use. Instead, you must use the host system to export a copy of the Local 
CA certificate into a separate file to ensure that the CA certificate is in a 
format that will work with the import function for earlier releases. 

In the navigation frame, click Select a Certificate Store and select *SYSTEM 

as the certificate store to open. 


. When the Certificate Store and Password page displays, provide the password 


that you specified for the certificate store when you created it on the host 
system and click Continue. 

In the navigation frame, select Manage Certificates to display a list of tasks. 
From the list of tasks, select Export certificate. 


. Select Certificate Authority (CA) as the type of certificate to export and click 


Continue to display a list of CA certificates. 

From the list of certificates, select the Local CA certificate (for example, 
LOCAL_CERTIFICATE_AUTHORITY). Click Export to display a form that allows you 
to choose the destination for the CA certificate. 

Select File and click Continue. 

Specify the fully qualified path and file name for the export file and click 
Continue. A confirmation page displays to indicate that DCM exported the 
file successfully. 


Note: Make sure that you give the file a unique name and extension. For 
example, you could name the file mycafile.exp. When you name the 
file, do not use one of these extensions for the file: . TXT, .KDB, .RDB, or 
.KYR. Using one of these extension types may create a problem when 
you import the file on the target system. 

Use binary File Transfer Protocol (FTP) or another method to transfer the 

certificate store files that you created (.KDB and .RDB) to the V4R4 or V4R5 

target system. Use ASCII FTP mode to transfer the file that contains the 
exported Local CA certificate. 


Use the transferred files on the target system 
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After you transfer the files, use DCM on the target system to work with the 
transferred certificate files. The DCM tasks that you must perform vary based on 
the release level of the target system and which certificate stores exist on the target 
system. Also, the type of certificate that you created on the host system affects the 
tasks that you must perform on the target system. To learn how to use DCM on 
the target system to work with the transferred certificate files, review these topics: 
U = 


sea get s 
Use a private certificate for SSL sessions on a V4R5 or V4R4 target system 


Use a private certificate for SSL sessions on a V5R2 target 
system 


You manage the certificates that your applications use for SSL sessions from the 
*“SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never 
used DCM on the V5R2 target system to manage certificates for SSL, then this 
certificate store should not exist on the target system. The tasks for using the 
transferred certificate store files that you created on the Local Certificate Authority 
(CA) host system vary based_on whether the *SYSTEM certificate store exists. If the 
*SYSTEM certificate store you can use the transferred certificate files 
as a means of creating the *SYSTEM certificate store. If the *SYSTEM certificate 
does exist on the V5R2 target system, you can use the transferred certificate files in 
one_of two ways: 


Use the transferred files as an Other System Certificate Store 
Import the transferred files into the existing “SYSTEM certificate store 


*SYSTEM certificate store does not exist 


If the *SYSTEM certificate store does not exist on the V5R2 system on which you 
want to use the transferred certificate store files, you can use the transferred 
certificate files as the *SYSTEM certificate store. To create the *SYSTEM certificate 
store and use the certificate files on your V5R2 target system, follow these steps: 

1. Make sure that the certificate store files (two files: one with a .KDB extension 
and one with a .RDB extension) that you created on the system that hosts the 
Local CA are in the /QIBM/USERDATA/ICSS/CERT/SERVER directory. 

2. Once the transferred certificate files are in the 
/QIBM/USERDATA/ICSS/CERT/SERVER directory, rename these files to 
DEFAULT.KDB, and DEFAULT.RDB. By renaming these files in the appropriate 
directory, you create the components that comprise the *SYSTEM certificate 
store for the target system. The certificate store files already contain copies of 
certificates for many public Internet CAs. DCM added these, as well as a copy 
of the Local CA certificate, to the certificate store files when you created the 
them. 


Attention: If your target system already has a DEFAULT.KDB and a DEFAULT.RDB 
file in the /QIBM/USERDATA/ICSS/CERT/SERVER directory, the 
*SYSTEM certificate store currently exists on this target system. 
Consequently, you should not rename the transferred files as 
suggested. Overwriting the default files will create problems when 
using DCM, the transferred certificate store, and its contents. 
Instead, you should ensure that they have unique names and 
should use the transferred certificate store as an Other System 
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Certificate Store. If you use the files as an Other System Certificate 
Store, you cannot use DCM to specify which applications should 
use the certificate. 

You must now change the password for the *SYSTEM certificate 
store that you created by renaming the transferred files. Changing the 
password allows DCM to store the new password so that you can use all 
DCM certificate management functions on the certificate store. 

4. In the navigation frame, click Select a Certificate Store and select *SYSTEM 
as the certificate store to open. 

5. When the Certificate Store and Password page displays, provide the password 
that you specified on the host system for the certificate store when you created 
the certificate for the V5R2 target system and click Continue. 

6. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password 
for the certificate store. After you change the password, you must re-open the 
certificate store before you can work with the certificates in it. Next you can 
specify which applications should use the certificate for SSL sessions. 

7. In the navigation frame, click Select a Certificate Store and select *SYSTEM 
as the certificate store to open. 

8. When the Certificate Store and Password page displays, provide the new 
password and click Continue. 

9. After the navigation frame refreshes, select Manage Certificates in the 
navigation frame to display a list of tasks. 

10. From the task list, select Assign certificate to display a list of certificates in 
the current certificate store. 

11. Select the certificate that you created on the host system and click Assign to 
Applications to display a list of SSL-enabled applications to which you can 
assign the certificate. 

12. Select the applications that should use the certificate for SSL sessions and click 
Continue. DCM displays a message to confirm your certificate selection for 
the applications. 


wo 


Note: Some SSL-enabled applications support client authentication based on 
certificates. An application with this support must to be able to 
authenticate certificates before providing access to resources. 
Consequently, you must Kiefine-a CA trast list for the application. This 
ensures that the application can validate only those certificates from 
CAs that you specify as trusted. If users or a client application present 


a certificate from a CA that is not specified as trusted in the CA trust 
list, the application will not accept it as a basis for valid authentication. 


With these tasks complete, applications on the target system can use the certificate 
issued by the Local CA on another iSeries. However, before you can begin using 
SSL for these applications, you must|configure the applications to use SSL 

Before a user can access the selected applications through an SSL connection, the 
user must use DCM toJobtain a copy of the Local CA certificate|from the host 


system. The Local CA certificate must be copied to a file on the user’s PC or 


downloaded into the user’s browser, depending on the requirements of the 
SSL-enabled application. 


*SYSTEM certificate store exists — using the files as an Other System Certificate Store 


If the V5R2 target system already has a *SYSTEM certificate store, you must decide 
how to work with the certificate files. You can choose to use the transferred 
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certificate files as an Other System Certificate Store. Or, you can choose tofimport] 
the private certificate and its corresponding Local CA\|certificate into the existing 


*SYSTEM certificate store. 


Other System Certificate Stores are user-defined secondary certificate stores for SSL 
certificates. You can create and use them to provide certificates for user-written 
SSL-enabled applications that do not use DCM APIs to register an application ID 
with the DCM feature. The Other System Certificate Store option allows you to 
manage certificates for applications that you or others write that use the SSL_Init 
API to programmatically access and use a certificate to establish an SSL session. 
This API allows an application to use the default certificate for a certificate store 
rather than a certificate that you specifically identify. 


IBM iSeries applications (and many other software developers’ applications) are 
written to use certificates in the *SYSTEM certificate store only. If you choose to 
use the transferred files as an Other System Certificate Store, you cannot use DCM 
to specify which applications should use the certificate for SSL sessions. 
Consequently, you cannot configure standard iSeries SSL-enabled applications to 
use this certificate. If you want to use the certificate for iSeries applications, you 
must import the certificate from your transferred certificate store files into the 
“SYSTEM certificate store. 


To access and work with the transferred certificate files as an Other System 

Certificate Store, follow these steps: 

7 

2. In the navigation frame, click Select a Certificate Store and select Other 
System Certificate Store as the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file (the one with the .KDB 
extension) that you transferred from the host system. Also provide the 
password that you specified on the host system for the certificate store when 
you created the certificate for the V5R2 target system and click Continue. 

4. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password for 
the certificate store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. Next you can specify that the certificate 

in this store be used as the default certificate. 

5. In the navigation frame, click Select a Certificate Store and select Other 
System Certificate Store as the certificate store to open. 

6. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file, provide the new 
password, and click Continue. 

7. After the navigation frame refreshes, select Manage Certificate Store and select 
Set default certificate from the list of tasks. 


Now that you have created and configured the Other System Certificate store, any 
applications that use the SSL_Init API can use the certificate in it to establish SSL 
sessions. 


*SYSTEM certificate store exists — using the certificates in the existing *SYSTEM certificate store 
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You can use the certificates in the transferred certificate store files in an existing 
*SYSTEM certificate store on a V5R2 system. To do so, you must import the 
certificates from the certificate store files into the existing *SYSTEM certificate store. 
However, you cannot import the certificates directly from the .KDB and .RDB files 
because they are not in a format that the DCM import function can recognize and 
use. To use the transferred certificates in an existing “SYSTEM certificate store, you 
must open the files as an Other System Certificate Store and export them into the 
*SYSTEM certificate store. 


To export the certificates from the certificate store files into the *SYSTEM certificate 


store, complete these steps on the V5R2 target system: 
1. |Start DCM 


2. In the navigation frame, click Select a Certificate Store and specify Other 
System Certificate Store as the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file (the one with the .KDB 
extension) that you transferred from the host system. Also provide the 
password that you specified on the host system for the certificate store when 
you created the certificate for the V5R2 target system and click Continue. 

4. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password 
for the certificate store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. If you do not change the 
password and select the Automatic login option, you may encounter 
errors when exporting the certificates from this store into the *SYSTEM 
certificate store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. 

5. In the navigation frame, click Select a Certificate Store and select Other 
System Certificate Store as the certificate store to open. 

6. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file, provide the new 
password, and click Continue. 

7. After the navigation frame refreshes, select Manage Certificates in the 
navigation frame to display a list of tasks and select Export certificate. 

8. Select Certificate Authority (CA) as the type of certificate to export and click 
Continue. 


Note: You should export the Local CA certificate into the certificate store 
before you export the server or client certificate into the certificate store. 
If you export the server or client certificate first, you may encounter an 
error because the Local CA certificate does not exist in the certificate 
store. 
9. Select the Local CA certificate to export and click Export. 

10. Select Certificate store as the destination for the exported certificate and click 
Continue. 

11. Enter *SYSTEM as the target certificate store, enter the password for the 
*“SYSTEM certificate store, and click Continue. A message displays to indicate 
that the certificate exported successfully or to provide error information if the 
export process failed. 
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12. Now you can export the server or client certificate into the *SYSTEM 
certificate store. Reselect the Export certificate task. 

13. Select Server or client as the type of certificate to export and click Continue. 

14. Select the appropriate server or client certificate to export and click Export. 

15. Select Certificate store as the destination for the exported certificate and click 
Continue. 

16. Enter *SYSTEM as the target certificate store, enter the password for the 
*SYSTEM certificate store, and click Continue. A message displays to indicate 
that the certificate exported successfully or to provide error information if the 
export process failed. 

17. Now you can assign the certificate to applications to use for SSL. Click Select 
a Certificate Store in the navigation frame and select *SYSTEM as the 
certificate store to open. 

18. When the Certificate Store and Password page displays, provide the password 
for the *SYSTEM certificate store and click Continue. 

19. After the navigation frame refreshes, select Manage Certificates to display a 
list of tasks. 

20. From the task list, select Assign certificate to display a list of certificates in 
the current certificate store. 

21. Select the certificate that you created on the host system and click Assign to 
Applications to display a list of SSL-enabled applications to which you can 
assign the certificate. 

22. Select the applications that should use the certificate for SSL sessions and click 
Continue. DCM displays a message to confirm your certificate selection for 
the applications. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. An application with this support must to be able to 
authenticate certificates before providing access to resources. 
Consequently, you artist detine a CA trust lyr the application. This 
ensures that the application can validate only those certificates from 
CAs that you specify as trusted. If users or a client application present 


a certificate from a CA that is not specified as trusted in the CA trust 
list, the application will not accept it as a basis for valid authentication. 


With these tasks complete, applications on the target system can use the certificate 
issued by the Local CA on another iSeries. However, before you can begin using 
SSL for these applications, you must|configure the applications to use SSL 

Before a user can access the selected applications through an SSL connection, the 
user must use DCM to|lobtain a copy of the Local CA certificate|from the host 


system. The Local CA certificate must be copied to a file on the user’s PC or 


downloaded into the user’s browser, depending on the requirements of the 
SSL-enabled application. 


Use a private certificate for SSL sessions on a V5R1 target 
system 


You manage the certificates that your applications use for SSL sessions from the 
*SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never 
used DCM on the V5R1 target system to manage certificates for SSL, then this 
certificate store should not exist on the target system. The tasks for using the 
transferred certificate store files that you created on the Local Certificate Authority 
(CA) host system vary based on whether the *SYSTEM certificate store exists. If the 


*SYSTEM certificate store you can use the transferred certificate files 
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as a means of creating the *SYSTEM certificate store. If the *SYSTEM certificate 
does exist on the V5R1 target system, you can use the transferred certificate files in 


one of two ways: 
¢ {Use the transferred files as an Other System Certificate Store 
* [Import the transferred files into the existing *SYSTEM certificate store 


*SYSTEM certificate store does not exist 
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If the *SYSTEM certificate store does not exist on the V5R1 system on which you 
want to use the transferred certificate store files, you can use the transferred 
certificate files as the *SYSTEM certificate store. To use the certificate files on your 
V5R1 target system, follow these steps: 

1. Make sure that the certificate store files (two files: one with a .KDB extension 
and one with a .RDB extension) that you created on the system that hosts the 
Local CA are in the /QIBM/USERDATA/ICSS/CERT/SERVER directory. 

2. Once the transferred certificate files are in the 
/QIBM/USERDATA/ICSS/CERT/SERVER directory, rename these files to 
DEFAULT.KDB, and DEFAULT.RDB. By renaming these files in the appropriate 
directory, you create the components that comprise the *SYSTEM certificate 
store for the target system. The certificate store files already contain copies of 
certificates for many public Internet CAs. DCM added these, as well as a copy 
of the Local CA certificate, to the certificate store files when you created them. 


Attention: If your target system already has a DEFAULT.KDB and a DEFAULT.RDB 
file in the /QIBM/USERDATA/ICSS/CERT/SERVER directory, the 
“SYSTEM certificate store currently exists on this target system. 
Consequently, you should not rename the transferred files as 
suggested. Overwriting the default files will create problems when 
using DCM, the transferred certificate store, and its contents. 
Instead, you should ensure that they have unique names and 
should use the transferred certificate store as an Other System 
Certificate Store. If you use the files as an Other System Certificate 
Store, you cannot use DCM to specify which applications should 
use the certificate. 

3. You must now change the password for the *SYSTEM certificate 
store that you created by renaming the transferred files. Changing the 
password allows DCM to store the new password so that you can use all 
DCM certificate management functions on the certificate store. 

4. In the navigation frame, click Select a Certificate Store and select *SYSTEM 
as the certificate store to open. 

5. When the Certificate Store and Password page displays, provide the password 
that you specified on the host system for the certificate store when you created 
the certificate for the V5R1 target system and click Continue. 

6. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password 
for the certificate store. After you change the password, you must re-open the 
certificate store before you can work with the certificates in it. Next you can 
specify which applications should use the certificate for SSL sessions. 

7. In the navigation frame, click Select a Certificate Store and select *SYSTEM 
as the certificate store to open. 

8. When the Certificate Store and Password page displays, provide the new 
password and click Continue. 

9. After the navigation frame refreshes, select Manage Applications in the 
navigation frame to display a list of tasks. 
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10. From the task list, select Update certificate assignment to display a list of 
SSL-enabled applications for which you can assign a certificate. 

11. Select an application from the list and click Update Certificate Assignment. 

12. Select the certificate that the Local CA on the host system issued and click 
Assign New Certificate. DCM displays a message to confirm your certificate 
selection for the application. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. An application with this support must to be able to 
authenticate certificates before providing access to resources. 
Consequently, you mnie (define « CA miei let the application. This 
ensures that the application can validate only those certificates from 
CAs that you specify as trusted. If users or a client application present 


a certificate from a CA that is not specified as trusted in the CA trust 
list, the application will not accept it as a basis for valid authentication. 


With these tasks complete, applications on the target system can use the certificate 
issued by the Local CA on another iSeries. However, before you can begin using 
SSL for these applications, you must|configure the applications to use SSL 

Before a user can access the selected applications through an SSL connection, the 
user must use DCM tolobtain a copy of the Local CA certificate|from the host 


system. The CA certificate must be copied to a file on the user’s PC or downloaded 


into the user’s browser, depending on the requirements of the SSL-enabled 
application. 


*SYSTEM certificate store exists — using the files as an Other System Certificate Store 


If the V5R1 target system already has a *SYSTEM certificate store, you must decide 
how to work with the certificate files. You can choose to use the transferred 
certificate files as an Other System Certificate Store. Or, you can choose tolimport] 


*SYSTEM certificate store. 


Other System Certificate Stores are user-defined secondary certificate stores for SSL 
certificates. You can create and use them to provide certificates for user-written 
SSL-enabled applications that do not use DCM APIs to register an application ID 
with the DCM utility. The Other System Certificate Store option allows you to 
manage certificates for applications that you or others write that use the SSL_Init 
API to programmatically access and use a certificate to establish an SSL session. 
This API allows an application to use the default certificate for a certificate store 
rather than a certificate that you specifically identify. 


IBM iSeries applications (and many other software developers’ applications) are 
written to use certificates in the *SYSTEM certificate store only. If you choose to 
use the transferred files as an Other System Certificate Store, you cannot use DCM 
to specify which applications should use the certificate for SSL sessions. 
Consequently, you cannot configure standard iSeries SSL-enabled applications to 
use this certificate. If you want to use the certificate for iSeries applications, you 
must import the certificate from your transferred certificate store files into the 
“SYSTEM certificate store. 


To access and work with the transferred certificate files as an Other System 
Certificate Store, follow these steps: 


1. [Start DCM] 
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2. In the navigation frame, click Select a Certificate Store and select Other 
System Certificate Store as the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file (the one with the .KDB 
extension) that you transferred from the host system. Also provide the 
password that you specified on the host system for the certificate store when 
you created the certificate for the V5R1 target system and click Continue. 

4. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password for 
the certificate store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. Next you can specify that the certificate 

in this store be used as the default certificate. 

5. In the navigation frame, click Select a Certificate Store and select Other 
System Certificate Store as the certificate store to open. 

6. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file, provide the new 
password, and click Continue. 

7. After the navigation frame refreshes, select Manage Certificate Store and select 
Set default certificate from the list of tasks. 


Now that you have created and configured the Other System Certificate store, any 
applications that use the SSL_Init API can use the certificate in it to establish SSL 
sessions. 


*SYSTEM certificate store exists — using the certificates in the existing *SYSTEM certificate store 
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You can use the certificates in the transferred certificate store files in an existing 
*SYSTEM certificate store on a V5R1 system. To do so, you must import the 
certificates from the certificate store files into the existing *SYSTEM certificate store. 
However, you cannot import the certificates directly from the .KDB and .RDB files 
because they are not in a format that the DCM import function can recognize and 
use. To use the transferred certificates in an existing *SYSTEM certificate store, you 
must open the files as an Other System Certificate Store and export them into the 
“SYSTEM certificate store. 


Note: This procedure describes how to use an Other System Certificate Store on 
the target system to export the certificates from the original certificate store 
files into the *SYSTEM certificate store. Using this method to add the 
certificates to the *SYSTEM certificate store can help you avoid possible 
problems when the target system uses a weaker cryptographic access 
provider product (such as 5722—AC2) than the host system. 


To export the certificates from the certificate store files into the *SYSTEM certificate 
store, complete these steps on the V5R1 target system: 
1. 
2. In the navigation frame, click Select a Certificate Store and specify Other 
System Certificate Store as the certificate store to open. 
3. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file (the one with the .KDB 
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17. 


18. 


19. 


20. 


21. 


extension) that you transferred from the host system. Also provide the 
password that you specified on the host system for the certificate store when 
you created the certificate for the V5R1 target system and click Continue. 

In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password 
for the certificate store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. If you do not change the 
password and select the Automatic login option, you may encounter 
errors when exporting the certificates from this store into the *SYSTEM 
certificate store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. 

In the navigation frame, click Select a Certificate Store and select Other 

System Certificate Store as the certificate store to open. 

When the Certificate Store and Password page displays, provide the fully 

qualified path and file name of the certificate store file, provide the new 

password, and click Continue. 

After the navigation frame refreshes, select Manage Certificates in the 

navigation frame to display a list of tasks and select Export certificate. 

Select Certificate Authority (CA) as the type of certificate to export and click 

Continue. 


Note: You should export the Local CA certificate into the certificate store 
before you export the server or client certificate into the certificate store. 
If you export the server or client certificate first, you may encounter an 
error because the Local CA certificate does not exist in the certificate 
store. 

Select the Local CA certificate to export and click Export. 

Select Certificate store as the destination for the exported certificate and click 

Continue. 

Enter *SYSTEM as the target certificate store, enter the password for the 

*SYSTEM certificate store, and click Continue. 

Now you can export the server or client certificate into the *SYSTEM 

certificate store. Reselect the Export certificate task. 

Select Server or client as the type of certificate to export and click Continue. 

Select the appropriate server or client certificate to export and click Export. 

Select Certificate store as the destination for the exported certificate and click 

Continue. 

Enter *SYSTEM as the target certificate store, enter the password for the 

*SYSTEM certificate store, and click Continue. A message displays to indicate 

that the certificate exported successfully or to provide error information if the 

export process failed. 

Now you can assign the certificate to applications to use for SSL. Click Select 

a Certificate Store in the navigation frame and select *SYSTEM as the 

certificate store to open. 

When the Certificate Store and Password page displays, provide the password 

for the *SYSTEM certificate store and click Continue. 

After the navigation frame refreshes, select Manage Certificates to display a 

list of tasks. 

From the task list, select Update certificate assignment to display a list of 

SSL-enabled applications for which you can assign a certificate. 

Select an application from the list and click Update Certificate Assignment. 
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22. Select the certificate that the Local CA on the host system issued and click 
Assign New Certificate. DCM displays a message to confirm your certificate 
selection for the application. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. An application with this support must to be able to 
authenticate certificates before providing access to resources. 
Consequently, you must [define a CA trust list for the application. This 
ensures that the application can validate only those certificates from 
CAs that you specify as trusted. If users or a client application present 


a certificate from a CA that is not specified as trusted in the CA trust 
list, the application will not accept it as a basis for valid authentication. 


With these tasks complete, applications on the target system can use the certificate 
issued by the Local CA on another iSeries. However, before you can begin using 
SSL for these applications, you must|configure the applications to use SSL 

Before a user can access the selected applications through an SSL connection, the 
user must use DCM tolobtain a copy of the Local CA certificate]from the host 


system. The CA certificate must be copied to a file on the user’s PC or downloaded 


into the user’s browser, depending on the requirements of the SSL-enabled 
application. 


Use a private certificate for signing objects on a V5R2 or 

V5R1 target system 
You manage the certificates that you use for signing objects from the 
*OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you 
have never used DCM on the target system to manage object signing certificates, 
then this certificate store should not exist on the target system. The tasks that you 
must perform to use the transferred certificate store files that you created on the 
Local CA host system vary based on whether the *OBJECTSIGNING certificate 
store exists. If the *OBJECTSIGNING certificate store you can use 
the transferred certificate files as a means of ee the *OBJECTSIGNING 


certificate store. If the *OBJECTSIGNING certificate |exists]on the target system, you 
must import the transferred certificates into it. 


*OBJECTSIGNING certificate store does not exist 


The tasks that you perform to use the certificate store files that you created on the 
Local CA host system vary based on whether you have ever used DCM on the 
target system to manage object signing certificates. 


If the *OBJECTSIGNING certificate store does not exist on the V5R2 or V5R1 target 
system with the transferred certificate store files, follow these steps: 

1. Make sure that the certificate store files (two files: one with a .KDB extension 
and one with a .RDB extension) that you created on the system that hosts the 
Local CA are in the /QIBM/USERDATA/ICSS/CERT/SIGNING directory. 

2. Once the transferred certificate files are in the 
/QIBM/USERDATA/ICSS/CERT/SIGNING directory, rename the certificate files to 
SGNOBJ.KDB, and SGNOBJ.RDB, if necessary. By renaming these files, you create 
the components that comprise the *OBJECTSIGNING certificate store for the 
target system. The certificate store files already contain copies of certificates 
for many public Internet CAs. DCM added these, as well as a copy of the 
Local CA certificate, to the certificate store files when you created them. 
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12. 


13. 


Attention: If your target system already has a SGNOBJ.KDB and a SGNOBJ.RDB 
file in the /QIBM/USERDATA/ICSS/CERT/SIGNING directory, the 
*OBJECTSIGNING certificate store currently exists on this target 
system. Consequently, you should not rename the transferred files 
as suggested. Overwriting the default object signing files will 
create problems for using DCM, the transferred certificate store, 
and its contents. You can get the certificates from these files into 
the existing *OBJECTSIGNING certificate store in one of two ways. 
You can export the certificates in this file to a set of flat files from 
which you can import the certificates into the existing 
*OBJECTSIGNING certificate store. Or, you can open the 
transferred files as an Other System Certificate Store and export 
the certificates directly into the *OBJECTSIGNING certificate store, 
as described further in this material. In either case, you must get 
the certificates into the *OBJECTSIGNING certificate store if you 
want to be able to manage the applications that use them as this 
procedure describes. 

You must now change the password for the *OBJECTSIGNING 

certificate store. Changing the password allows DCM to store the new 

password so that you can use all DCM certificate management functions on 
the certificate store. 

In the navigation frame, click Select a Certificate Store and select 

*OBJECTSIGNING as the certificate store to open. 

When the password page displays, provide the password that you specified 

for the certificate store when you created it on the host system and click 

Continue. 

In the navigation frame, select Manage Certificate Store and select Change 

password from the list of tasks. Complete the form to change the password 

for the certificate store. After you change the password, you must re-open the 
certificate store before you can work with the certificates in it. Next you can 
create an application definition for using the certificate to sign objects. 

After you re-open the certificate store, select Manage Applications in the 

navigation frame to display a list of tasks. 

From the task list, select Add application to begin the process of creating an 

object signing application definition to use a certificate to sign objects. 

Complete the form to define your object signing application and click Add. 

This application definition does not describe an actual application, but rather 

describes the type of objects that you plan to sign with a specific certificate. 

Use the online help to determine how to complete the form. 

Click OK to acknowledge the application definition confirmation message and 

display the Manage Applications task list. 


. From the task list, select Update certificate assignment to display a list of 


object signing application IDs for which you can assign a certificate. 

Select your application ID from the list and click Update Certificate 
Assignment. 

Select the certificate that the Local CA on the host system created and click 
Assign New Certificate. 


bjects}to ensure their integrity. 


When you finish these tasks, you have everything that you need to begin bigning| 
pbject 


When you distribute signed objects, those who receive the objects must use a V5R2 
or V5R1 version of DCM to}verify the signature]on the objects to ensure that the 


data is unchanged and to verify the identity of the sender. To validate the 
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signature, the receiver must have a copy of the signature verification certificate. 
You should provide a copy of this certificate as part of the package of signed 
objects. 


The receiver also must have a copy of the CA certificate for the CA that issued the 
certificate that you used to sign the object. If you signed the objects with a 
certificate from a well-known Internet CA, the receiver’s version of DCM should 
already have a copy of the necessary CA certificate. However, you should provide 
a copy of the CA certificate, in a separate package, along with the signed objects if 
necessary. For example, you should provide a copy of the Local CA certificate if 
you signed the objects with a certificate from a Local CA. For security reasons, you 
should provide the CA certificate in a separate package or publicly make the CA 
certificate available at the request of those who need it. 


*OBJECTSIGNING certificate store exists 
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You can use the certificates in the transferred certificate store files in an existing 
*OBJECTSIGNING certificate store on a V5R2 or V5R1 system. To do so, you must 
import the certificates from the certificate store files into the existing 
*OBJECTSIGNING certificate store. However, you cannot import the certificates 
directly from the .KDB and .RDB files because they are not in a format that the 
DCM import function can recognize and use. You can add the certificates into the 
existing *OBJECTSIGNING certificate store by opening the transferred files as an 
Other System Certificate Store on the V5R2 or V5R1 target system. You can then 
export the certificates directly into the *OBJECTSIGNING certificate store. You 
must export a copy of both the object signing certificate itself and the Local CA 
certificate from the transferred files. 


To export the certificates from the certificate store files directly into the 
*OBJECTSIGNING certificate store, complete these steps on the V5R2 or V5R1 
target system: 

1 

2. In the navigation frame, click Select a Certificate Store and specify Other 
System Certificate Store as the certificate store to open. 

3. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name for the certificate store files. Also provide the 
password that you used when you created them on the host system and click 
Continue. 

4. In the navigation frame, select Manage Certificate Store and select Change 
password from the list of tasks. Complete the form to change the password 
for the certificate store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. If you do not change the 
password and select the Automatic login option, you may encounter 
errors when exporting the certificates from this store into the 
*OBJECTSIGNING certificate store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. 

5. In the navigation frame, click Select a Certificate Store and select Other 

System Certificate Store as the certificate store to open. 
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6. When the Certificate Store and Password page displays, provide the fully 
qualified path and file name of the certificate store file, provide the new 
password, and click Continue. 

7. After the navigation frame refreshes, select Manage Certificates in the 
navigation frame to display a list of tasks and select Export certificate. 

8. Select Certificate Authority (CA) as the type of certificate to export and click 
Continue. 


Note: The wording for this task assumes that when you work with an Other 
System Certificate Store that you are working with server or client 
certificates. This is because this type of certificate store is designed for 
use as a secondary certificate store to the *SYSTEM certificate store. 
However, using the export task in this certificate store is the easiest way 
to add the certificates from the transferred files into the existing 
*OBJECTSIGNING certificate store. 

9. Select the Local CA certificate to export and click Export. 


Note: You should export the Local CA certificate into the certificate store 
before you export the object signing certificate into the certificate store. 
If you export the object signing certificate first, you may encounter an 
error because the Local CA certificate does not exist in the certificate 
store. 

10. Select Certificate store as the destination for the exported certificate and click 
Continue. 

11. Enter *OBJECTSIGNING as the target certificate store, enter the password for the 
certificate store, and click Continue. 

12. Now you can export the object signing certificate into the *OBJECTSIGNING 
certificate store. Reselect the Export certificate task. 

13. Select Server or client as the type of certificate to export and click Continue. 

14. Select the appropriate certificate to export and click Export. 

15. Select Certificate store as the destination for the exported certificate and click 
Continue. 

16. Enter *OBJECTSIGNING as the target certificate store, enter the password for the 
*OBJECTSIGNING certificate store, and click Continue. A message displays to 
indicate that the certificate exported successfully or to provide error 
information if the export process failed. 


Note: To use this certificate to sign objects, you must now [assign the 


to an object signing application. 


Use a private certificate for SSL sessions on a V4R5 or V4R4 
target system 


You manage the certificates that your applications use for SSL sessions from the 
*SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never 
used DCM on the V4R5 or V4R4 target system to manage certificates for SSL, then 
this certificate store should not exist on the target system. The transferred 
certificate store files that you created on the Local CA host system contain two 
certificates. These files are the server or client certificate that you created and the 
private Local CA certificate that you used to sign it. 


The tasks that you must perform to use the transferred certificate store files vary 
based_on whether the *SYSTEM certificate store exists. If the “SYSTEM certificate 
store you can use the transferred certificate files as a means of 
creating the *SYSTEM certificate store. If the *SYSTEM certificate does exist on the 
target system, you can use the transferred certificate files in one of two ways: 
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¢ {Use the transferred files as an Other system certificate store 
* [Import the transferred files into the existing *SYSTEM certificate store 


*SYSTEM certificate store does not exist 


If the *SYSTEM certificate store does not exist on the V4R5 or V4R4 system on 
which you want to use the transferred certificate store files, follow these steps: 


1. 


10. 


Make sure that the certificate store files (two files: one with a .KDB extension 
and one with a .RDB extension) that you created on the system that hosts the 
Local CA are in the /QIBM/USERDATA/ICSS/CERT/SERVER directory. 


. Once the transferred certificate files are in the 


/QIBM/USERDATA/ICSS/CERT/SERVER directory, rename these files to 
DEFAULT.KDB, and DEFAULT.RDB. By renaming these files in the appropriate 
directory, you create the components that comprise the *SYSTEM certificate 
store for the target system. The certificate store files already contain copies of 
certificates for many public Internet CAs. DCM added these, as well as a copy 
of the Local CA certificate, to the certificate store files when you created the 
them. 


Attention: If your target system already has a DEFAULT.KDB and a DEFAULT.RDB 
file in the /QIBM/USERDATA/ICSS/CERT/SERVER directory, the 
*SYSTEM certificate store currently exists on this target system. 
Consequently, you should not rename the transferred files as 
suggested. Overwriting the default files will create problems when 
using DCM, the transferred certificate store, and its contents. 
Instead, you should ensure that they have unique names and use 
the transferred certificate store files as an Other certificate store. If 
you use the files as an Other certificate store, you cannot use DCM 
to specify which applications should use the certificate. 


. {Start DCM} You must now change the password for the *SYSTEM certificate 


store. Changing the password allows DCM to store the new password so that 
you can use all DCM certificate management functions on the certificate store. 
In the navigation frame, make sure that *SYSTEM is shown as the certificate 
store in the drop-down list box and select System Certificates to display a list 
of available tasks. The Certificate Store and Password window displays. 

In the appropriate fields, enter *SYSTEM for the certificate store to open and the 
password that you used when you created the files by using the Local CA on 
the host system. Now you can change the password for the certificate store. 
From the task list in the navigation frame, select Change password. Complete 
the form to change the password for the certificate store. After you change the 
password, you must re-open the certificate store before you can work with the 
certificates in it. 


. After you re-open the *SYSTEM certificate store, select Work with secure 


applications from the task list to display a page that allows you to manage 
the certificates associated with specific applications. 

From the list of applications, select the application that should use the 
transferred private certificate for SSL sessions. 

Click Work with system certificate and select the certificate that the Local CA 
on the host system issued. 

Click Assign new certificate to have the specified application use the selected 
certificate. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. Using certificates for client authentication ensures that the 
application receives a valid certificate before allowing access to the 
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resources the application controls. An application with this support 
must be set to trust a CA before the application is able to authenticate 
certificates that a specific CA issues. Use the Work with Certificate 
Authorities page to ensure that the CA certificate has trusted status in 
the certificate store. Then, use the Work with Secure Applications page 
to ensure that applications that use the certificate trust the Local CA 
that issued it. This ensures that the application can validate only those 
certificates from CAs that you specify as trusted. If users or a client 
application present a certificate from a CA that is not specified as 
trusted, the application will not accept it as a basis for valid 
authentication. 


With these tasks complete, applications on the V4R5 or V4R4 target system can use 
the certificate issued by the V5R2 Local CA on another iSeries. However, before 


ou can begin using SSL for these applications, you must 
applications to use SSL 


Before a user can access the selected applications through an SSL connection, the 
user must use DCM tolobtain a copy of the Local CA certificate}from the host 
system. The CA certificate must be copied to a file on the user’s PC or downloaded 


into the user’s browser, depending on the requirements of the SSL-enabled 
application. 


*SYSTEM certificate store exists — using the files as an Other system certificate store 


If the V4R5 or V4R4 target system already has a *SYSTEM certificate store, you 
must decide how to work with the certificate files. The transferred certificate store 
files contain two certificates: the server or client certificate that you created, and 
the private Local CA certificate that you used to sign it. You can choose to use the 
transferred certificate files as an Other system certificate store. Or, you can choose 
to fimport| the private certificate and its corresponding CA certificate into the 
existing *SYSTEM certificate store. 


If you choose to use the transferred files as an Other system certificate store, you 
cannot use DCM to specify which applications should use the certificate for SSL 
sessions. You can, however, designate the certificate in this certificate store as the 
default certificate for the certificate store. The Other system certificate store option 
allows you to manage certificates for applications that you or others write that use 
the SSL_Init API to programmatically access and use a certificate to establish an 
SSL session. This API allows an application to use the default certificate for a 
certificate store rather than a specific certificate. 


If the *SYSTEM certificate store exists on the V4R5 or V4R4 system on which you 

want to _use the transferred certificate store files, follow these steps: 

1. You must now change the password for the transferred certificate 
store. Changing the password allows DCM to store the new password so that 
you can use all DCM certificate management functions on the certificate store. 

2. In the navigation frame, make sure that OTHER is shown as the certificate store 
in the drop-down list box and select System Certificates to display a list of 
available tasks. The Certificate Store and Password window displays. 

3. In the appropriate fields, enter the fully qualified path and file name for the 
certificate store (.KDB extension) that you transferred from the Local CA host 
system. Enter the password that you used when you created the files on the 
host system. Now you can change the password for the certificate store. 
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4. In the navigation frame, select Change password from the list of System 
Certificate tasks. Complete the form to change the password for the certificate 
store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. Next you can specify that the certificate 

in this store be used as the default certificate. 

5. In the navigation frame, select Work with certificates to display a page that 
allows you to perform a number of certificate management tasks. 

6. From the list of certificates, select the certificate that you want to use as the 
default certificate for the current store and click Set default. 


Now that you have created and configured the Other system certificate store, any 
applications that use the SSL_Init API can use the certificate in it to establish SSL 
sessions. 


*SYSTEM certificate store exists — Importing the files into an existing *SYSTEM certificate store 
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Before you can import the certificates into *SYSTEM on a V4R5 or V4R4 target 
system, you first must export the certificates from the certificate store that you 
created into a different file format. You can then import the certificates into the 
“SYSTEM certificate store from the new files. The transferred certificate store files 
contain two certificates: the server or client certificate that you created, and the 
private Local CA certificate that you used to sign it. You must import both the 
server or client certificate that you created and the private Local CA certificate into 
the *SYSTEM certificate store. 


Note: The export functions available in DCM for V4R5 and V4R4 are not as well 
developed as those for V5R2 and you may experience problems if you use 
the target system to export the private Local CA certificate. Consequently, 
you should use the V5R2 host system to export an additional copy of the 
Local CA certificate into a separate file rather than using the V4R4 or V4R5 
target system to export it. After you export the Local CA certificate on the 
V5R2 host system, you can manually transfer the Local CA certificate export 
file to the V4R4 or V4R5 target system and follow the steps provided further 
in this procedure to import the Local CA certificate into the *SYSTEM 
certificate store. You must import the Local CA certificate before you import 
the private certificate that you created with it. If you import the private 
certificate first, you may encounter an error because the Local CA certificate 
does not exist in the certificate store. 


To export the certificate from the certificate store files, complete these steps on the 

V4R4 or V4R5 target system: 

/ 

2. In the navigation frame, make sure that OTHER is shown as the certificate store 
in the drop-down list box and select System Certificates to display a list of 
available tasks. The Certificate Store and Password window displays. 

3. Specify the fully qualified path and file name of the transferred certificate store 
files, provide the password that you used when you created them on the host 
system, and click OK. Now you can change the password for the certificate 
store. 
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4. In the navigation frame, select Change password from the list of System 
Certificate tasks. Complete the form to change the password for the certificate 
store. 


Note: Be sure to select the Automatic login option when you change the 
password for the certificate store. Using this option ensures that DCM 
stores the new password so that you can use all DCM certificate 
management functions on the new store. If you do not change the 
password and select the Automatic login option, you may encounter 
errors when exporting the certificates from this store. 

After you change the password, you must re-open the certificate store before 

you can work with the certificates in it. 

5. In the navigation frame, select Work with certificates to display a list of 
certificates. 
6. Select the private certificate from the list and click Export to display the Export 

Certificate page. 

7. Complete the Export Certificate form. 


Note: Make sure that you give the file a unique name and extension. For 
example, you could name the file myfile.exp. When you name the file, 
do not use one of these extensions for the file: . TXT, .KDB, .RDB, or .KYR 
as using one of these extensions may cause an error when you import 
the certificates from the file. Select the appropriate release level for the 
target system that will use this certificate. The release level that you 
select affects the format for the exported certificate. 

8. Click OK. A message that DCM exported the certificate to the file that you 
specified displays at the top of the page. 


At this point, you should have used DCM on the original V5R2 host system to 
export an additional copy of the Local CA certificate and manually transferred it to 
the V4R4 or V5R5 target system. You should also have used DCM on this target 
system to export the private server or client certificate to a file. Now you are ready 
to import these certificates into the *SYSTEM certificate store. You must import the 
Local CA certificate before you import the private certificate that you created with 
it. If you import the private certificate first, you may encounter an error because 
the Local CA certificate does not exist in the certificate store. 


To import the certificates from these export files and specify that SSL-enabled 
applications use them, complete these steps on the V4R4 or V4R5 target system: 

; 

2. In the navigation frame, make sure that “SYSTEM is shown as the certificate 
store in the drop-down list box and select System Certificates to display a list 
of available tasks. The Certificate Store and Password window displays. 

3. Specify *SYSTEM as the certificate store to open, provide the password, and 
click Continue. 

4. Now you must import the Local CA certificate from the export file that you 
created on the V5R2 host system. In the navigation frame, select Receive a CA 
certificate to display a form. 

5. Complete the form and click OK to display the Receive Certificate Successful 
page. When you are working in the *SYSTEM certificate store, this page 
displays a list of applications that you can set to trust the imported CA 
certificate. 


Note: Some SSL-enabled applications support client authentication based on 
certificates. Using certificates for client authentication ensures that the 


application receives a valid certificate before allowing access to the 
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resources the application controls. An application with this support 
must be set to trust a CA before the application is able to authenticate 
certificates that a specific CA issues. This ensures that the application 
can validate only those certificates from CAs that you specify as 
trusted. If users or a client application present a certificate from a CA 
that is not specified as trusted, the application will not accept it as a 
basis for valid authentication. 

6. Select the applications that should trust the CA certificate and click OK. The 
Secure Applications Status page displays to confirm that the selected 
applications are set to trust the new certificate. 

7. Now you can import the server certificate. In the navigation frame, select 
Work with certificates to display a list of certificates. 

8. Click Import to display the Import Certificate page. 

9. Complete the Import Certificate form and click OK to return to the Work with 
Certificates page. Make sure that you provide the name of the file that 
contains the exported server or client certificate and that you specify a target 
release that matches the one you specified when exporting the certificate 
previously. A message that DCM has added the certificate to the current 
certificate store displays at the top of the page. The certificate that you 
imported should appear in the list of certificates as well. 

10. Now you must specify which applications should use the imported private 
certificate for SSL. In the navigation frame, select Work with secure 
applications to display a page that allows you to manage the certificates 
associated with specific applications. 

11. Select an application from the list and click Work with system certificate to 
display a list of certificates that you can specify the selected application use 
for establishing SSL sessions. 

12. Select a certificate from the list and click Assign new certificate to assign the 
selected certificate to the specified application. A confirmation message to 
indicate the certificate selection displays at the top of the page. 


With these tasks complete, applications on the V4R4 or V4R5 target system can use 


the certificate issued by the Local CA on another iSeries. However, before you can 
begin using SSL for these applications, you must 
6s 
Before a user can access the selected applications through an SSL connection, the 
Une ust tise DCM tolobtain a copy of the Local. Ca cenuicateliror the hos 
system. The CA certificate must be copied to a file on the user’s PC or downloaded 


into the user’s browser, depending on the requirements of the SSL-enabled 
application. 


Manage applications in DCM 
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You can use Digital Certificate Manager (DCM), to perform various management 
tasks for SSL-enabled applications and object signing applications. For example, 
you can manage which certificates your applications use for Secure Sockets Layer 
(SSL) communications sessions. The application management tasks that you can 
perform vary based on the type of application and the certificate store in which 
you are working. You can manage applications from the *SYSTEM or 
*OBJECTSIGNING certificate stores only. 


While most application management tasks that DCM provides are easy to 
understand, a few of these tasks may not be familiar to you. For more information 
about these tasks, review these topics: 
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Create an application definition| describes the types of applications that you can 


define and work with. 


Manage certificate assignments] describes how to assign or change the certificate that 


an application uses to establish an SSL session or to sign objects. 


Define a CA trust list} describes when you can and should define which Certificate 


Authorities an application can trust for validating and accepting certificates. 


You can find information about other DCM tasks in the online help. 


Create an application definition 


There are two types of application definitions that you can work with in DCM: 
application definitions for server or client applications that use SSL and application 
definitions that you use for signing objects. 


To use DCM to work with SSL application definitions and their certificates, the 
application must first be registered with DCM as an application definition so that 
it has a unique application ID. Application developers register SSL-enabled 
applications by using an API ( to create the 


OSYRGAP, OsyRegisterAppForCertUse} 


application ID in DCM automatically. All IBM iSeries SSL-enabled applications are 
registered with DCM so that you can easily use DCM to assign a certificate to 
them so that they can establish an SSL session. Also, for applications that you write 
or purchase, you can define an application definition and create the application ID 
for it within DCM itself. You must be working in the *SYSTEM certificate store to 
create an SSL application definition for either a client application or a server 
application. 


To use a certificate to sign objects, you first must define an application for the 
certificate to use. Unlike an SSL application definition, an object signing application 
does not describe an actual application. Instead, the application definition that you 
create should describe the type or group of objects that you intend to sign. You 
must be working in the *OBJECTSIGNING certificate store to create an object 
signing application definition. 


To create an application definition, follow these steps: 
1. |Start DCM 


2. Click Select a Certificate Store and select the appropriate certificate store. (This 
is either the *SYSTEM certificate store or the *OBJECTSIGNING certificate store 
depending on the type of application definition that you are creating.) 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the on-line help. 

3. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

4. In the navigation frame, select Manage Applications to display a list of tasks. 

5. Select Add application from the task list to display a form for defining the 
application. 


Note: If you are working in the *SYSTEM certificate store, DCM will prompt 
you to choose whether to add a server application definition or a client 
application definition. 

6. Complete the form and click Add. The information that you can specify for the 
application definition varies based on the type of application that you are 
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defining. If you are defining a server application, you can also specify whether 
the application can use certificates for client authentication and should require 
client authentication. You can also specify that the application must use a CA 
trust list to authenticate certificates. 


Manage the certificate assignment for an application 


You must use Digital Certificate Manager (DCM) to assign a certificate to an 

application before the application can perform a secure function, such as 

establishing a Secure Sockets Layer (SSL) session or signing an object. To assign a 

certificate to an application, or to change the certificate assignment for an 

application, follow these steps: 

1. 

2. Click Select a Certificate Store and select the appropriate certificate store. (This 
is either the *SYSTEM certificate store or the *OBJECTSIGNING certificate store 
depending on the type of application to which you are assigning a certificate.) 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the on-line help. 

3. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

4. In the navigation frame, select Manage Applications to display a list of tasks. 

5. If you are in the *SYSTEM certificate store, select the type of application to 
manage. (Select either Server or Client application, as appropriate.) 

6. From the task list, select Update certificate assignment to display a list of 
applications for which you can assign a certificate. 

7. Select an application from the list and click Update Certificate Assignment to 
display a list of certificates that you can assign to the application. 

8. Select a certificate from the list and click Assign New Certificate. DCM 
displays a message to confirm your certificate selection for the application. 


Note: If you are assigning a certificate to an SSL-enabled application that 
supports the use of certificates for client authentication, you must|define] 
fa CA trust list for the application. This ensures that the application can 
validate only those certificates from CAs that you specify as trusted. If 
users or a client application presents a certificate from a CA that is not 


specified as trusted in the CA trust list, the application will not accept it 
as a basis for valid authentication. 


When you change or remove a certificate for an application, the application may or 
may not be able to recognize the change if the application is running at the time 
you change the certificate assignment. For example, Client Access Express servers 
will apply any certificate changes that you make automatically. However, you may 
need to stop and start Telnet servers, the IBM HTTP Server for iSeries, or other 
applications before these applications can apply your certificate changes. 


Beginning in V5R2, you can use the|Assign certificate|task when you want to 


assign a certificate to several applications at once. 


Define a CA trust list for an application 


Applications that support the use of certificates for client authentication during a 
Secure Sockets Layer (SSL) session must determine whether to accept a certificate 
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as valid proof of identity. One of the criteria that an application uses for 
authenticating a certificate is whether the application trusts the Certificate 
Authority (CA) that issued the certificate. 


You can use Digital Certificate Manager (DCM) to define which CAs an application 
can trust when performing client authentication for certificates. You manage the 
CAs that an application trusts through a CA trust list. 


Before you can define a CA trust list for an application, several conditions must be 

met: 

* The application must support the use of certificates for client authentication. 

* The definition for the application must specify that the application use a CA 
trust list. 


If the definition for an application specifies that the application use a CA trust list, 
you must define the list before the application can perform certificate client 
authentication successfully. This ensures that the application can validate only 
those certificates from CAs that you specify as trusted. If users or a client 
application present a certificate from a CA that is not specified as trusted in the CA 
trust list, the application will not accept it as a basis for valid authentication. 


When you add a CA to the trust list for an application, you must ensure that the 
CA is enabled as well. 


To define a CA trust list for an application, follow these steps: 

1. |Start DCM 

2. Click Select a Certificate Store and select *SYSTEM as the certificate store to 
open. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the on-line help. 

3. When the Certificate Store and Password page displays, provide the password 
that you specified for the certificate store when you created it and click 
Continue. 

4. In the navigation frame, select Manage Applications to display a list of tasks. 

From the task list, select Define CA trust list. 

Select the type of application (server or client) for which you want to define the 

list and click Continue. 

7. Select an application from the list and click Continue to display a list of CA 
certificates that you use to define the trust list. 

8. Select the CAs that the application should trust and click OK. DCM displays a 
message to confirm your trust list selections. 


Note: You can either select individual CAs from the list or you can specify that 
the application should trust all or trust none of the CAs in the list. Also, 
you can view or validate the CA certificate before you add it to the trust 
list. 


Validate certificates and applications 


You can use Digital Certificate Manager (DCM) to validate individual certificates 
or the applications that use them. The list of things that DCM checks differs 
slightly depending on whether you are validating a certificate or an application. 


Application validation 
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Using DCM to validate an application definition helps prevent certificate problems 
for the application when it is performing a function that requires certificates. Such 
problems could prevent an application either from participating successfully in a 
Secure Sockets Layer (SSL) session or from signing objects successfully. 


When you validate an application, DCM verifies that there is a certificate 
assignment for the application and ensures that the assigned certificate is valid. 
Additionally, DCM ensures that if the application is configured to use a Certificate 
Authority (CA) trust list, that the trust list contains at least one CA certificate. 
DCM then verifies that the CA certificates in the application CA trust list are valid. 
Also, if the application definition specifies that Certificate Revocation List (CRL) 
processing occur and there is a defined [CRL location] for the CA, DCM checks the 
CRL as part of the validation process. 


Certificate validation 


When you validate a certificate, DCM verifies a number of items pertaining to the 
certificate to ensure the authenticity and validity of the certificate. Validating a 
certificate ensures that applications that use the certificate for secure 
communications or for signing objects are unlikely to encounter problems when 
using the certificate. 


As part of the validation process, DCM checks that the selected certificate is not 
expired. DCM also checks that the certificate is not listed in a Certificate 
Revocation List (CRL) as revoked, if a CRL location exists for the CA that issued 
the certificate. In addition, DCM checks that the CA certificate for the issuing CA is 
in the current certificate store and that the CA certificate is enabled and therefore 
trusted. If the certificate has a private key (for example, server, client, and object 
signing certificates), then DCM also validates the public-private key pair to ensure 
that the public-private key pair match. In other words, DCM encrypts data with 
the public key and then ensures that the data can be decrypted with the private 
key. 


| Assign a certificate to applications 
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Beginning in V5R2, a new Digital Certificate Manager (DCM) enhancement allows 
you to assign a certificate quickly and easily to multiple applications. You can 
assign a certificate to multiple applications in the *SYSTEM or *OBJECTSIGNING 
certificate stores only. 


To make a certificate assignment for one or more applications, follow these steps: 


1. Stat DCM 


Note: If you have questions about how to complete a specific form while using 
DCM, select the question mark (?) at the top of the page to access the 
online help. 

2. In the navigation frame, click Select a Certificate Store and select either 

*OBJECTSIGNING or *SYSTEM as the certificate store to open. 

3. Enter the password for the certificate store and click Continue. 

4. After the navigation frame refreshes, select Manage Certificates to display a list 
of tasks. 

5. From the list of tasks, select Assign certificate to display a list of certificates for 
the current certificate store. 

6. Select a certificate from the list and click Assign to Applications to display a 
list of application definitions for the current certificate store. 
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7. Select one or more applications from the list and click Continue. A page 
displays with either a confirmation message for your assignment selection or an 
error message if a problem occurred. 


Manage CRL locations 


Digital Certificate Manager (DCM) allows you to define and manage |Certificate] 
Revocation List (CRL) Iesatior| information for a specific Certificate Authority (CA) 
to use as part of the certificate validation process. DCM, or an application that 
requires CRL processing, can use the CRL to determine that the CA that issued a 
specific certificate has not revoked the certificate. When you define a CRL location 
for a specific CA, applications that support the use of certificates for client 


authentication can access the CRL. 


Applications that support the use of certificates for client authentication can 
perform CRL processing to ensure more stringent authentication for certificates 
that they accept as valid proof of identity. Before an application can use a defined 
CRL as part of the certificate validation process, the DCM application definition 
must require that the application perform CRL processing. 


How CRL processing works 


When you use DCM to validate a certificate or application, DCM performs CRL 
processing by default as part of the validation process. If there is no CRL location 
defined for the CA that issued the certificate that you are validating, DCM cannot 
perform CRL checking. However, DCM can attempt to validate other important 
information about the certificate, such as that the CA signature on the specific 
certificate is valid and that the CA that issued it is trusted. 


Define a CRL location 


To define a CRL location for a specific CA, follow these steps: 

' 

2. In the navigation frame, select Manage CRL Locations to display a list of tasks. 

3. Select Add CRL location from the task list to display a form that you can use 
to describe the CRL location and how DCM or the application should access 
the location. 

4. Complete the form and click OK. You must give the CRL location a unique 
name, identify the LDAP server that hosts the CRL, and provide connection 
information that describes how to access the LDAP server. 


Note: If you have questions about how to complete a specific form in this 
guided task, select the question mark (?) at the top of the page to access 
the online help. 

Now you need to associate the CRL location definition with a specific CA. 

5. In the navigation frame, select Manage Certificates to display a list of tasks. 

6. Select Update CRL location assignment from the task list to display a list of 
CA certificates. 

7. Select the CA certificate from the list to which you want to assign the CRL 
location definition that you created and click Update CRL Location 
Assignment. A list of CRL locations displays. 

8. Select the CRL location from the list that you want to associate with the CA 
and click Update Assignment. A message displays at the top of the page to 
indicate that the CRL location has been assigned to the Certificate Authority 
(CA) certificate. 
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Having defined a location for a CRL for a specific CA, DCM or other applications 
can use it when performing CRL processing. However, before CRL processing can 
work, the Directory Services server must contain the appropriate CRL. Also, you 


must configure both the Directory Services server and client applications to use 
SSL, and |assign a certificate to the applications in DCM 

To learn more about configuring and using the iSeries Directory Services (LDAP) 
server, review these Information Center topics: 


* |Directory Services (LDAP) 


This topic tells you everything you need to know about configuring and using 
an iSeries Directory Services (LDAP) server. 


* Using Secure Sockets Layer (SSL) security with the LDAP directory serve 


This topic explains what you need to do to configure your LDAP server to use 
SSL for secure communications. 


Store certificate keys on the IBM 4758 Cryptographic Coprocessor 
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If you have installed an|IBM 4758-023 PCI Cryptographic Coprocessor|on your 


iSeries, you can use the coprocessor to provide more secure storage for a 
certificate’s private key. You can use the coprocessor to store the private key for a 
server certificate, a client certificate, or a local Certificate Authority (CA) certificate. 
However, you cannot use the coprocessor for storing a user certificate private key 
because this key must be stored on the user’s system. Also, you cannot use the 
coprocessor to store the private key for an object signing certificate at this time. 


You_can use the coprocessor for certificate private key storage in one of two ways: 
Storing the certificate private key directly on the coprocessor] itself. 
Using the coprocessor master key to encrypt the certificate private ke 


storage in a special key file. 


for 


You can select this key storage option as part of the process of creating or 
renewing a certificate. Also, if you use the coprocessor to store a certificate’s 
private key, you can change the coprocessor device assignment for that key. 


To use the coprocessor for private key storage, you must ensure that the 
coprocessor is varied on prior to using Digital Certificate Manager (DCM). 
Otherwise, DCM will not provide a page for selecting a storage option as part of 
the certificate creation or renewal process. 


If you are creating or renewing a server or client certificate, you select the private 
key storage option after you select the type of CA that is signing the current 
certificate. If you are creating or renewing a local CA, you select the private key 
storage option as the first step in the process. 


Store the certificate private key directly on the coprocessor 


To more strongly protect access to and use of a certificate’s private key, you can 
choose to store the key directly on an IBM 4758-023 PCI Cryptographic 
Coprocessor. You can select this key storage option as part of creating or renewing 
a certificate in Digital Certificate Manager (DCM). 


Follow these steps from the Select a Key Storage Location page to store the 
certificate’s private key directly on the coprocessor: 

1. Select Hardware as your storage option. 

2. Click Continue. This displays the Select a Cryptographic Device Description 


page. 
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3. From the list of devices, select the one that you want to use for storing the 
certificate’s private key. 

4. Click Continue. DCM continues to display pages for the task that you are 
completing, such as identifying information for the certificate that you are 
creating or renewing. 


Use the coprocessor master key to encrypt the certificate 
private key 


To more strongly protect access to and use of a certificate’s private key, you can 
use the master key of an IBM 4758-023 PCI Cryptographic Coprocessor to encrypt 
the private key and store the key in a special key file. You can select this key 
storage option as part of creating or renewing a certificate in Digital Certificate 
Manager (DCM). 


Before you can use this option successfully, you must use the[IBM 4758-023 PC]| 
ee pis apie ep occ eorl orice tien web interface to create an appropriate 
keystore file. Also, you must use the coprocessor configuration web interface to 
associate the keystore file with the coprocessor device description that you want to 


use. You can access the coprocessor configuration web interface from the iSeries 
Tasks page. 


If your system has more than one coprocessor device installed and varied on, you 
can choose to share the certificate’s private key among multiple devices. In order 
for device descriptions to share the private key, all of the devices must have the 
same master key. The process for distributing the same master key to multiple 
devices is called cloning. Sharing the key among devices allows you to use Secure 
Sockets Layer (SSL) load balancing, which can improve performance for secure 
sessions. 


Follow these steps from the Select a Key Storage Location page to use the 

coprocessor master key to encrypt the certificate’s private key and store it in a 

special keystore file: 

1. Select Hardware encrypted as your storage option. 

2. Click Continue. This displays the Select a Cryptographic Device Description 
page. 

3. From the list of devices, select the one that you want to use for encrypting the 
certificate’s private key. 

4. Click Continue. If you have more than one coprocessor device installed and 
varied on, the Select Additional Cryptographic Device Descriptions page 
displays. 


Note: If you do not have multiple coprocessor devices available, DCM 
continues to display pages for the task that you are completing, such as 
identifying information for the certificate that you are creating or 
renewing. 

5. From the list of devices, select the name of one or more device descriptions 
with which you want to share the certificate’s private key. 


Note: The device descriptions that you select must have the same master key 
as the device you selected on the previous page. To verify that the 
master key is the same on the devices, use the Master Key Verification 
task in the 4758 Cryptographic Coprocessor Configuration web interface. 
You can access the coprocessor configuration web interface from the 
iSeries Tasks page. 
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6. Click Continue. DCM continues to display pages for the task that you are 
completing, such as identifying information for the certificate that you are 
creating or renewing. 


Manage the request location for a PKIX CA 


A Public Key Infrastructure for X.509 (PKIX) Certificate Authority (CA) is a CA 
that issues certificates based on the newest Internet x.509 standards for 
implementing a public key infrastructure. PKIX standards are outlined in Request 
For Comments (RFC) 2560. 


A PKIX CA requires more stringent identification before issuing a certificate; 
usually by requiring that an applicant provide proof of identity through a 
Registration Authority (RA). After the applicant supplies the proof of identity that 
the RA requires, the RA certifies the applicant’s identity. Either the RA or the 
applicant, depending on the CA’s established procedure, submits the certified 
application to the associated CA. As these standards are adopted more widely, 
PKIX compliant CAs will become more widely available. You should investigate 
using a PKIX compliant CA if your security needs require strict access control to 
resources that your SSL-enabled applications provide to users. For example, Lotus® 
Domino™ provides a PKIX CA for public use. 


If you choose to have a PKIX CA issue certificates for your applications to use, you 
can use Digital Certificate Manager (DCM) to manage these certificates. You use 
DCM to configure a URL for a PKIX CA. Doing so configures Digital Certificate 
Manager (DCM) to provide a PKIX CA as an option for obtaining signed 
certificates. 


To use DCM to manage certificates from a PKIX CA, you must configure DCM to 

use the location for the CA by following these steps: 

] 

2. In the navigation frame, select Manage PKIX Request Location to display a 
form that allows you to specify the URL for the PKIX CA or its associated RA. 

3. Enter the fully qualified URL for the PKIX CA that you want to use for 
requesting a certificate; for example: http://www. thawte.com and click Add. 
Adding the URL configures DCM to add the PKIX CA as an option for 
obtaining signed certificates. 


After you add a PKIX CA request location, DCM adds PKIX CA as an option for 
specifying the type of CA that you can choose for issuing a certificate when using 
the Create Certificate task. 


Sign objects 


There are three methods that you can_use for signing objects. You_can write a 
program that calls the|Sign Object API} You can use|Digital Certificate Manager 
DCM) to sign objects! Or, beginning in V5R2, you can use iSeries Navigator's 


Management Central feature to sign objects|as you package them for distribution 


to other iSeries systems. 


You can use the certificates that you manage in DCM to sign any object that you 
store in the system’s integrated file system, except objects that are stored in a 
library. You can sign only these objects that are stored in the QSYS.LIB file system: 
*PGM, *SRVPGM, *MODULE, *SQLPKG, and *FILE (save file only). New in V5R2, 
you can also sign command (*CMD) objects. You cannot sign objects that are stored 
on other iSeries servers. 
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You can sign objects with certificates that you purchase from a public Internet 
Certificate Authority (CA) or that you create with a private, Local CA in DCM. The 
process of signing certificates is the same, regardless of whether you use public or 
private certificates. 


Object signing prerequisites 


Before you can use DCM (or the Sign Object API) to sign objects, you must ensure 
that certain prerequisite conditions are met: 


* You must have created the *OBJECTSIGNING certificate store, either as part of 
the process of |creating a Local CAlor_ as part of the process of managing object 
signing certificates from a public Internet CA 


¢ The *OBJECTSIGNING certificate store must contain at least one certificate, 
either one that you created by using the Local CA or one that you obtained from 
a public Internet_CA. 


* You must have|created an object signing application definition|to use for signing 


objects. 


* You must have|assigned a certificate] to the object signing application that you 


plan to use to sign objects. 


Use DCM to sign objects 


To use DCM to sign one or more objects, follow these steps: 


1. [Stat Dow 


Note: If you have questions about how to complete a specific form while using 
DCM, select the question mark (?) at the top of the page to access the 
online help. 

2. In the navigation frame, click Select a Certificate Store and select 

*OBJECTSIGNING as the certificate store to open. 

3. Enter the password for the *OBJECTSIGNING certificate store and click 

Continue. 

4. After the navigation frame refreshes, select Manage Signable Objects to 
display a list of tasks. 

5. From the list of tasks, select Sign an object to display a list of application 
definitions that you can use for signing objects. 

6. Select an application and click Sign an Object to view a form for specifying the 
location of the objects that you want to sign. 


Note: If the application that you select does not have a certificate assigned to 
it, you cannot use it to sign an object. You must first use the Update 
certificate assignment task under Manage Applications to assign a 
certificate to the application definition. 

7. In the field provided, enter the fully qualified path and file name of the object 
or directory of objects that you want to sign and click Continue. Or, enter a 
directory location and click Browse to view the contents of the directory to 
select objects for signing. 


Note: You must start the object name with a leading slash or you may 
encounter an error. You can also use certain wildcard characters to 
describe the part of the directory that you want to sign. These wildcard 
characters are the asterisk (*), which specifies "any number of 
characters,” and the question mark (?), which specifies "any single 
character.” For example, to sign all the objects in a specific directory, you 
could enter /mydirectory/*; to sign all the programs in a specific library, 
you could enter /QSYS.LIB/QGPL.LIB/*.PGM. You can use these wildcards 
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only in the last part of the path name; for example, 
/mydirectory*/filename results in an error message. If you want to use 
the Browse function to see a list of library or directory contents, you 
should enter the wildcard as part of the path name prior to clicking 
Browse. 
8. Select the processing options that you want to use for signing the selected 
object or objects and click Continue. 


Note: If you choose to wait for job results, the results file displays directly in 
your browser. Results for the current job are appended to the end of the 
results file. Consequently, the file may contain results from any previous 
jobs, in addition to those of the current job. You can use the date field in 
the file to determine which lines in the file apply to the current job. The 
date field is in YYYYMMDD format. The first field in the file can be 
either the message ID (if an error occurred during processing the object) 
or the date field (indicating the date on which the job processed). 

9. Specify the fully qualified path and file name to use for storing job results for 
the object signing operation and click Continue. Or, enter a directory location 
and click Browse to view the contents of the directory to select a file for storing 
the job results. A message displays to indicate that the job was submitted to 
sign objects. To view the job results, see job QOBJSGNBAT in the job log. 


Verify object signatures 
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You can use Digital Certificate Manager (DCM) to verify the authenticity of digital 
signatures on objects. When you verify the signature, you ensure that the data in 
the object has not been changed since the object owner signed the object. 


Signature verification prerequisites 


Before you can use DCM to verify signatures on objects, you must ensure that 
certain prerequisite conditions are met: 


¢ You must have created the *SIGNATUREVERIFICATION certificate store to 


manage your signature verification certificates 


Note: You can perform signature verification while working within the 
*OBJECTSIGNING certificate store in cases where you are verifying 
signatures for objects that were signed on the same system. The steps that 
you perform to verify the signature in DCM are the same in either 
certificate store. However, the *SIGNATUREVERIFICATION certificate 
store must exist and must contain a copy of the certificate that signed the 
object even if you perform signature verification while working within the 
*OBJECTSIGNING certificate store. 

* The *SIGNATUREVERIFICATION certificate store must contain a copy of the 
certificate that signed the objects. 
* The *SIGNATUREVERIFICATION certificate store must contain a copy of the 

CA certificate that issued the certificate that signed the objects. 


Use DCM to verify signatures on objects 


To use DCM to verify object signatures, follow these steps: 


1. |Start DCM 
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Note: If you have questions about how to complete a specific form while using 
DCM, select the question mark (?) at the top of the page to access the 
online help. 

2. In the navigation frame, click Select a Certificate Store and select 
*SIGNATUREVERIFICATION as the certificate store to open. 

3. Enter the password for the *SIGNATUREVERIFICATION certificate store and 
click Continue. 

4. After the navigation frame refreshes, select Manage Signable Objects to 
display a list of tasks. 

5. From the list of tasks, select Verify object signature to specify the location of 
the objects for which you want to verify signatures. 

6. In the field provided, enter the fully qualified path and file name of the object 
or directory of objects for which you want to verify signatures and click 
Continue. Or, enter a directory location and click Browse to view the contents 
of the directory to select objects for signature verification. 


Note: You can also use certain wildcard characters to describe the part of the 
directory that you want to verify. These wildcard characters are the 
asterisk (*), which specifies "any number of characters,” and the question 
mark (?), which specifies "any single character.” For example, to sign all 
the objects in a specific directory, you could enter /mydirectory/*; to 
sign all the programs in a specific library, you could enter 
/QSYS.LIB/QGPL.LIB/*.PGM. You can use these wildcards only in the last 
part of the path name; for example, /mydirectory*/filename results in 
an error message. If you want to use the Browse function to see a list of 
library or directory contents, you should enter the wildcard as part of 
the path name prior to clicking Browse. 

7. Select the processing options that you want to use for verifying the signature 
on the selected object or objects and click Continue. 


Note: If you choose to wait for job results, the results file displays directly in 
your browser. Results for the current job are appended to the end of the 
results file. Consequently, the file may contain results from any previous 
jobs, in addition to those of the current job. You can use the date field in 
the file to determine which lines in the file apply to the current job. The 
date field is in YYYYMMDD format. The first field in the file can be 
either the message ID (if an error occurred during processing the object) 
or the date field (indicating the date on which the job processed). 

8. Specify the fully qualified path and file name to use for storing job results for 
the signature verification operation and click Continue. Or, enter a directory 
location and click Browse to view the contents of the directory to select a file 
for storing the job results. A message displays to indicate that the job was 
submitted to verify object signatures. To view the job results, see job 
QOBJSGNBAT in the job log. 


You can also, use DCM to view information about the certificate that signed an 


object. This allows you to determine whether the object is from a source that you 
trust before you work with the object. 
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Chapter 9. Troubleshoot DCM 


You can use these pages to find useful information that can help you to 
troubleshoot some of the more common problems that you may encounter while 
working with Digital Certificate Manager (DCM). 


For information about problems and possible solutions for them, review these 


pages: 


Troubleshoot passwords and general problems 


may encounter and how 


Ss 


Use this information to learn about common DCM user interface problems that you 


you may be able to correct them. 


Troubleshoot certificate store and key database problems| 


Use this information to learn about common certificate store and key database 
problems that you may encounter and how you may be able to correct them. 


Troubleshoot browser problems 


Use this information to learn about common problems that you may encounter when 
sing your browser to access DCM and how you may be able to correct them. 


Troubleshoot HTTP Server for iSeries problems 


Use this information to learn about common HTTP server problems that you may 
encounter and how you may be able to correct them. 


| 


Migration errors and recovery solutions 
Use this information to learn about common problems that you may encounter when 
you migrate DCM from a previous release and how you may be able to correct them. 


Troubleshooting for assigning a user certificate 


Use this information to learn about common problems that you may encounter when 


| 


you use DCM to register a user certificate and how you may be able to correct them. 


Troubleshoot passwords and general problems 


Use the following table to find information to help you troubleshoot some of the 
more common password and other general problems that you may encounter 
while working with Digital Certificate Manager (DCM). 


Problem 


Possible Solution 


You cannot find additional help for DCM. 


In DCM, click the "?" help icon. You can also search the 
Information Center and external sites on the Internet. 


You receive a NET.DATA error when you attempt to 
open a certificate store. 


Your password for the Local Certificate Authority 
(CA) and *SYSTEM certificate stores do not work. 


When you Select a Certificate Store, use your mouse to 
select the Continue button rather than using the Enter key 
on your keyboard. 


Passwords are case sensitive. Be sure the caps lock is the 
same as it was when you assigned the password. 


Your attempt to reset the password when you used 
the Select a Certificate Store task failed. 


The reset function works only if DCM has stored the 
password. DCM stores the password automatically when 
you create a certificate store. However, if you change (or 
reset) the password for an Other System Certificate Store, 
then you must select the Automatic login option so that 
DCM continues to stash the password. 


© Copyright IBM Corp. 1999, 2002 


91 


Problem 


Possible Solution 


Also, if you move a certificate store from one system to 
another, you must change the password for the certificate 
store on the new system to ensure that DCM stashes it 
automatically. To change the password, you must supply the 
original password for the certificate store when you open it 
on the new system. You cannot use the reset password 
option until you have opened the store with the original 
password and changed the password to stash it. If the 
password is not changed and stashed, DCM and SSL cannot 
automatically recover the password when it is needed for 
various functions. If you are moving a certificate store that 
you will use as an Other System Certificate Store, you must 
select the Automatic login option when you change the 
password to ensure that DCM stashes the new password for 
this type of certificate store. 


Check the value assigned to the "Allow new digital 
certificates” attribute under the Work with system security 
option of the System Service Tools (SST). If this attribute is 
set to a value of 2 (No), then the certificate store password 
cannot be reset. You can view or change the value for this 
attribute by using the STRSST command and entering the 
Service Tools user [Dand password. Then choose the "Work 
with system security” option. The Service Tools user ID is 
probably the QSECOFR user ID. 


You cannot find a source for a CA certificate to 
receive it into your iSeries system. 


Some CAs do not make their CA certificate readily available. 
If you cannot get the CA certificate from the CA, then 
contact your VAR since your VAR may have made special or 
monetary arrangements with the CA. 


You cannot find the *SYSTEM certificate store. 


The file location of the *SYSTEM certificate must be 
/qibm/userdata/icss/cert/server/default.kdb. If that 
certificate store does not exist you need to use DCM to 
create the certificate store. Use the Create New Certificate 
Store task. 


You received an error from DCM, and the error 
continues to appear after you have fixed it. 


Clear your browser cache. Set the cache size to 0, and end 
and restart the browser. 


You have an LDAP server problem such as certificate 
assignments not being shown when the information 
about the secure application is displayed immediately 
after assigning a certificate. This problem occurs more 
often when using iSeries Navigator to get to a 
Netscape Communications browser. Your preference 
for the browser cache is set to compare the document 
in cache to the document on the network "Once per 
session.” 


Change your default preference to check the caching every 
time. 


When you use DCM to import a certificate signed by 
an external CA such as Entrust, you receive an error 
message that the validity period does not contain 
today or does not fall within its issuer’s validity 
period. 


The system is using Generalized Time format for the validity 
period. Wait a day and try again. Also, verify that your 
iSeries has the correct value for UTC offset (dspsysval 
qutcoffset). If you observe Daylight Savings Time, your 
offset might be incorrectly set. 
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Problem 


Possible Solution 


You received a base 64 error when trying to import 
an Entrust certificate. 


The certificate is listed as being a specific format such as 
PEM format. If the copy function of your browser does not 
work well you may copy extra material that does not belong 
with the certificate, such as blank spaces at the front of each 
line. If this is the case, then the certificate will not be the 
right format when you try to use it on the iSeries. Some web 
page designs cause this problem. Other web pages are 
designed to avoid this problem. Be sure to compare the 
appearance of the original certificate to the results of the 
paste, since the pasted information should look the same. 


When you migrate from the V4R3 version of DCM to 
the V5R2 version, the migration does not 
accommodate expired system certificates. 


The expired system certificate is now bad and cannot get 
into the *SYSTEM certificate store. Remove or rename old 
key ring files from V4R3 before migrating, ignore the 
migration fail indicator, or try the migration again. 


You cannot find the sample code for adding 
certificates into validation lists. 


The sample code is not yet available. 


Troubleshoot certificate store and key database problems 


Use the following table to find information to help you troubleshoot some of the 
more common certificate store and key database problems you may encounter 
while working with Digital Certificate Manager (DCM). 


Problem 


Possible Solution 


The system has not found the key database, or has 
found it to be invalid. 


Check your password and file name for typographical 
errors. Be sure that the path is included with the file name, 
including the leading forward slash. 


Key database creation failed. 


Check for a file name conflict. The conflict may exist in a 
different file than the one for which you asked. 


The system does not accept a CA text file that was 
transferred in binary mode from another system. It 
does accept the file when it is transferred in 
American National Standard Code for Information 
Interchange (ASCII). 


Key rings and key databases are binary and, therefore, 
different. You must use File Transfer Protocol (FTP) in ASCII 
mode for CA text files and FTP in binary mode for binary 
files, such as files with these extensions: .kdb, .kyr, .sth, 
.rdb, and so forth. 


You cannot change the password of a key database. A 
certificate in the key database is no longer valid. 


After verifying that an incorrect password is not the 
problem, find and delete the invalid certificate or certificates 
from the certificate store, and then try to change the 
password. If you have expired certificates in your certificate 
store, the expired certificates are no longer valid. Since the 
certificates are not valid, the password change function for 
the certificate store may not allow the password to be 
changed and the encryption process will not encrypt the 
private keys of the expired certificate. This keeps the 
password change from occurring, and the system may report 
that certificate store corruption is one of the reasons. You 
must remove the invalid (expired) certificates from the 
certificate store. 
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Problem 


Possible Solution 


You need to use certificates for an Internet user and 
therefore need to use validation lists, but DCM does 
not provide functions for validation lists. 


Business partners who are writing applications to use 
validation lists must write their code to associate the 
validation list with their application as expected. They must 
also write the code that determines when the Internet user’s 
identity is appropriately validated so that the certificate can 
be added to the validation list. Review the Information 
Center topic for the[Qsy AddV1diCertificate] APL. Consult the 
Webmaster’s Guide for help with configuring the secure 
server instance to use the validation list. 


Troubleshoot browser problems 


Use the following table to help you troubleshoot some of the more common 
browser-related problems that you may encounter while working with Digital 


Certificate Manager (DCM). 


Problem 


Microsoft® Internet Explorer does not let you select a 
different certificate until you start a new browser 
session. 


Possible Solution 


Begin a new browser session for Internet Explorer. 


Internet Explorer does not show all selectable 

client/user certificates in a browser’s selection list. 
Internet Explorer only shows certificates, issued by 
the trusted CA, that you can use at the secure site. 


A CA must be trusted in the key database as well as by the 
secure application. Be sure that you signed on to the PC for 
the Internet Explorer browser with the same user name as 
the one that put the user certificate in the browser. Get 
another user certificate from the system that you are 
accessing. The system administrator should be sure that the 
certificate store (key database) still trusts the CA that signed 
the user and system certificates. 


Internet Explorer 5 receives the CA certificate, but 
cannot open the file or find the disk to which you 
saved the certificate. 


This is a new browser feature for certificates that are not yet 
trusted by the Internet Explorer browser. You can choose the 
location on your PC. 


You received a browser warning that the system 
name and system certificate do not match. 


Some browsers do different things for uppercase and 
lowercase matching on system names. Type the URL with 
the same case as the system certificate shows. Or, create the 
system certificate with the case that matches what most 
users use. Unless you know what you are doing, it is best to 
leave the server name or system name as it was. You should 
also check that your domain name server is set up correctly. 


You started Internet Explorer with HTTPS instead of 
HTTP, and you received a warning of a secure and 
nonsecure mix of sessions. 


Choose to accept and ignore the warning; a future release of 
Internet Explorer fixes this problem. 


Netscape Communicator 4.04 for Windows® 
converted hexadecimal values Al and B1 to B2 and 
9A in the Polish code page. 


This is a browser bug that affects NLS. Use a different 
browser or even use the same version of this browser on a 
different platform, such as Netscape Communicator 4.04 for 
AIX®. 


In a user profile, Netscape Communicator for 4.04 
showed uppercase user certificate NLS characters 
correctly, but showed lowercase characters incorrectly. 


Some national language characters that were entered 
correctly as one character but are not the same character 
when displayed later. For example, on the Windows version 
of Netscape Communicator 4.04, the hexadecimal values Al 
and B1 were converted to B2 and 9A for the Polish code 
page, resulting in different NLS characters being displayed. 


The browser continues to tell the end user that the 
CA is not yet trusted. 


Use DCM to set the CA status to enabled to mark the CA as 
trusted. 
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Problem 


Possible Solution 


Internet Explorer requests reject the connection for 
HTTPS. 


This is a problem with the browser function or its 
configuration. The browser chose not to connect to a site 
that is using a system certificate that might be self-signed or 
may not be valid for some other reason. 


Netscape Communicator browser and server products 
employ root certificates from companies, including, 
but not limited to, VeriSign, as an enabling feature of 
SSL communications — specifically, authentication. 
All root certificates expire periodically. Some 
Netscape browser and server root certificates expired 
between December 25, 1999 and December 31, 1999. If 
you did not fix this problem on or before December 
14, 1999, you will receive an error message. 


Earlier versions of the browser (Netscape Communicator 
4.05 or earlier) have certificates that expire. You need to 
upgrade the browser to the current Netscape Communicator 
version. Information on browser root certificates is available 
on many sites including 
http://home.netscape.com/security/ and 

http://www. verisign.com/server/cus/rootcert/webmaster.htm]. 
Free browser downloads are available from 
http://www.netcenter.com. 


Troubleshoot HTTP Server for iSeries problems 


Use the following table to find information to help you troubleshoot some of the 
more common HTTP Server for iSeries problems that you may encounter while 
working with Digital Certificate Manager (DCM). 


Problem 


Possible Solution 


Hypertext Transfer Protocol Secure (HTTPS) does not 
work. 


Be sure the HTTP Server is configured correctly for using 
SSL. In V5R1 or later versions the configuration file must 
have SSLAppName set by using the HTTP Server’s 
graphical user interface (GUI). Also, the configuration must 
have a virtual host configured that uses the SSL port, with 
SSLEnable inside the virtual host. There must also be two 
Listen directives specifying two different ports, one for SSL 
the other not for SSL. Be sure the server instance is created 
and the server certificate is signed. 


The process for registering an HTTP Server instance 
as a secure application needs clarification. 


On your iSeries system, go to the HTTP Server’s web 
interface to set the configuration for your HTTP Server. You 
first must define a virtual host to enable SSL. This is done 
on the Context Management screen. The virtual host must 
be defined to use the SSL port defined previously on the 
Listen directive. Next, you must use the SSL General 
Settings screen to turn on SSL in the previously configured 
virtual host. All changes must be applied to the 
configuration file. Note that registering your instance does 
not automatically choose which certificates the instance 
shoud use. You must use DCM to assign a specific certificate 
to your application before you try to end and then restart 
your server instance. 


You are having difficulty setting up the HTTP Server 
for validation lists and optional client authentication. 


See the HTTP Server Webmaster’s Guide for options on 
setting up the instance. This information is also available 
under the topic in the Information Center. 


Netscape Communicator waits for the configuration 
directive in the HTTP Server code to expire before 
allowing you to select a different certificate. 


A large certificate value makes it hard to register a second 
certificate since the browser is still using the first one. 
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Problem 


Possible Solution 


You are trying to get the browser to present the X.509 


certificate to the HTTP Server so that you can use the 
certificate as input to the|QsyAddVldlCertificate} API. 


You must use SSLEnable and SSLClientAuth ON in order 
to get the HTTP Server to load the 
HTTPS_CLIENT_CERTIFICATE environment variable. You 
can find these APIs in the|OS/400 APIs| topic in the 
Information Center. You may also want to look at these 
validation lists or certificate-related APIs: 

* QsyListVldlCertificates and QSYLSTVC 

* QsyRemoveVldlCertificate and QRMVVC 

* QsyCheckVldlCertificate and QSYCHKVC 


* QsyParseCertificate and QSYPARSC, and so on. 


You cannot find the request file that is created when 
the HTTP Server is installed. The system uses this file 
to indicate the valid key ring files found on the 
KEYFILE directive in the configuration files in its 
directory. 


See|Migrate to DCM from an earlier release|for more 


information. For HTTP Server the correct file is 
/qibm/userdata/httpsvr/keyring/keymreq.crt. For LDAP 
the correct file is /qibm/userdata/os400/dirsrv/qdirsrv.crt. 


The HTTP Server takes too long to return, or times 
out if you request a list of the certificates in the 
validation list and there are more than 10,000 items. 


Create a batch job that looks for and deletes certificates 
matching certain criteria, such as all those that have expired 
or are from a certain CA. 


You observed a problem with your certificate stores 
after installing V5R2 over the V4R3 release and 
/qibm/userdata/httpsvr/keyring/keymreq.crt or 
/qibm/usedata/os400/dirsrv/qdirsrv.crt file now 
exists. The system could not complete the automatic 
key ring to key database migration. 


Specify the old key ring files as the certificate store, and find 
and delete the invalid certificate or certificates from the key 
ring files before calling qicss/qyepmgrt to re-attempt the 
migration. Or, ignore or delete the .crt file if the migration 
activity has moved all the important certificates. 


The HTTP Server will not start successfully with 
SSLEnable set, and error message HTP8351 appears in 
the job log. The error log for the *ADMIN server 
shows an error that SSL Initialization operation failed 
with a return code error of 107 when the HTTP 
Server fails. 


Error 107 means the certificate has expired. If the server 
instance is the *ADMIN server, then temporarily set 
SSLDisable so that you can use DCM on the *ADMIN 
server. Use DCM to assign a different certificate to the 
application; for example, QIBM_HTTP_SERVER_ADMIN if 
the server instance is the *ADMIN server. 


Migration errors and recovery solutions 


Errors and error recovery 


The following indicators alert you to errors that might occur during migration: 


/QIBM/USERDATA/HTTPS VR/KEYRING/KEYMREQ.CRT 
The presence of this indicator after you have successfully installed both option 
34 and 5722-DG1 means the key ring migration that 5722-DG1 attempted did 
not succeed. You may need to perform key ring migration into the *SYSTEM 


certificate store. 


/QIBM/USERDATA/OS400/DIRSRV/QDIRSRV.CRT 
The presence of this indicator after you have successfully installed option 34 
means that the key ring migration for the LDAP server did not succeed. 


In addition to the indicated errors, there are possible migration errors that the 
system might not indicate. For example, when the system finds key ring files that 
it needs to migrate into the *SYSTEM certificate store, it might also find conflicts 
with existing integrated file system user data files. In such an instance, the system 
might not complete key ring file migration, even though you completed the install 


successfully. 
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In a rare scenario, it might be possible to have key ring file migration with partial 
system certificate assignment completed before an error prevents the completion of 
migration. This can result in errors when you start the IBM HTTP Server *ADMIN 
instance if SSLMODE is ON. Possible explanations are: 


* A migrated key ring file had a bad system certificate set as its default. 


* DCM ended migration to preserve user data that already existed in a critical file 
name. 


* An unpredictable error occurred in the migration code. 


You can start the IBM HTTP Server without SSLMODE set to ON by temporarily 
turning SSLMODE set OFF for the *ADMIN instance before starting the *ADMIN 
instance. This allows you to investigate the certificate stores with DCM and resolve 
the problem before ending the *ADMIN instance. After you end the *ADMIN 
instance, you can then turn SSLMODE back to ON and start the *ADMIN instance 
to initialize SSL correctly. 


After the migration of option 34, errors might occur during normal DCM requests 
that use the certificate stores. These errors occur on the browser. Examples of such 
errors follow: 

Database error 

Database Read error 

Database Write error 

Database corruption 

Database table corrupted 


Further, the system might have a file that is not a valid certificate store named 
default.kdb in the same directory as 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR or 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR. In this case, you need to complete 
the following manual migration before using DCM to create new certificates: 


Note: If you choose not to migrate the key ring files and instead create a new CA 
and system certificate, skip the following manual migration procedure. 
* If you plan to install the HTTP Server for iSeries (5722-DG1), install it now 
before continuing. 


Notes: 


1. The 5722-SS1 option 34 install code does not attempt migration again after 
you install option 34. Simply re-installing option 34 does not help. 


2. The appropriate files are located in user data directories that have been 
created with PUBLIC *EXCLUDE authority. Ensure that you are correctly 
authorized to them. 

* Check to see if the following files exist: 


— /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . KDB 
— /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT . KDB 
If they exist, use the WRKLNK command to rename them and create backups. 


* From a user profile that has *ALLOBJ authority, call the program 
QICSS/QYEPMGRT on a command line, as follows: 


CALL QICSS/QYEPMGRT 


If the result is successful, ensure that neither of the following files exists on your 
system: 

— /QIBM/USERDATA/HTTPSVR/KEYRING/KEYMREQ. CRT 

— /QIBM/USERDATA/0S400/DIRSRV/QDIRSRV.CRT 
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DCM normally keeps a backup copy of the user data that you save in files whose 
file names conflict with those that DCM uses. If the following files do not exist: 


* /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR 
* /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR 


But the following files do exist: 
* /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH 
* /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH 


Then the system attempts to rename them with an appended .OLD extension. If 
those files already exist as well, the system does not create any backup copies. 
Instead, it simply overwrites the existing .STH files. 


Miscellaneous 


If your attempts to create a CA and a system certificate continue to fail due to file 
name conflicts, you might have encountered one of the following: 


* Different file name conflict - DCM attempts to protect user data in the 
directories that it creates, even if those files keep DCM from successfully 
creating the files when it needs to. Resolve this by copying all of the conflicting 
files to a different directory and, if possible, use DCM functions to delete the 
corresponding files. If you cannot use DCM to accomplish this, manually delete 
the files from the original integrated file system directory where they were 
conflicting with DCM. Ensure that you record exactly which files you move and 
where you move them. The copies allow you to recover the files if you find that 
you still need them. You need to create a new CA after moving the following 
files: 

/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . KDB 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT. TEMP. KDB 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . RDB 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH .OLD 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . POL 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . BAK 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . TEMP 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . STHBAK 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.STH 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA. TXT 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA. BAK 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA. TMP 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . POLTMP 
/QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT . POLBAK 
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CACRT 
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CATMP 
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA. CABAK 
/QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CLIENT/*.USRCRT 


You need to create a new *SYSTEM certificate store and system certificate after 
moving the following files: 


/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT . KDB 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT . BAK 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT . RDB 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT. STH 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT. STH. OLD 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT . STHBAK 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT. TMP 
/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT. TEMP. STH 
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV. TMP 
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/QIBM/USERDATA/ICSS/CERT/SERVER/SRV .BAK 
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV. TXT 
/QIBM/USERDATA/ICSS/CERT/SERVER/SRV. SGN 
/QIBM/USERDATA/ICSS/CERT/SERVER/SGN. TMP 
/QIBM/USERDATA/ICSS/CERT/SERVER/SGN. BAK 
/QIBM/USERDATA/ICSS/CERT/SERVER/EXPSRV. TMP 
/QIBM/USERDATA/ICSS/CERT/SERVER/EXPSGN. TMP 


* Missing prerequisite — Ensure that you have correctly installed the prerequisite 
licensed programs (LPPs). 


* Code problem - Contact your service representative. 


Troubleshoot assigning a user certificate 


When you use the Assign a user certificate task, Digital Certificate Manager 
(DCM) displays certificate information for you to approve before registering the 
certificate. If DCM is unable to display a certificate, the problem could be caused 
by one of these situations: 

1. Your browser did not request that you select a certificate to present to the 
server. This may happen if the browser cached a previous certificate (from 
accessing a different server). Try clearing the browser’s cache and try the task 
again. The browser should prompt you to select a certificate. 

2. The certificate that you want to register is already registered with DCM. 

3. The Certificate Authority that issued the certificate is not designated as a 
trusted root on the system. Therefore, the certificate you are presenting is not 
valid. Contact your system administrator to determine if the CA that issued 
your certificate is correct. If the CA is correct, the system administrator may 
need to Import the CA certificate into the *SYSTEM certificate store. Or, the 
administrator may need to use the Work with CA certificates task to enable the 
CA as a trusted root on the system to correct the problem. 

4. You do not have a certificate to register. You can check for user certificates in 
your browser to see if this is the problem. 

5. The certificate that you are trying to register is expired or incomplete. You must 
either renew the certificate or contact the CA that issued it to resolve the 
problem. 

6. The IBM HTTP Server for iSeries is not correctly set up to do certificate 
registration using SSL and client authentication on the secure *ADMIN server 
instance. If none of the previous troubleshooting tips works, contact your 
system administrator to report the problem. 


To Assign a user certificate, you must connect to Digital Certificate Manager 
(DCM) by using an SSL session. If you are not using SSL when you select the 
Assign a user certificate task, DCM displays a message that you must use SSL. 
The message contains a button so that you can connect to DCM by using SSL. If 
the message displays without the button, inform your system administrator of the 
problem. The Web server may need to be restarted to ensure that the configuration 
directives for using SSL are activated. 
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Chapter 10. Related information for DCM 


As the use of digital certificates has become more prevalent, information resources 
have also become more available. Here is a small list of other resources that you 
can review to learn more about digital certificates and how you can use them to 
enhance your iSeries security policy: 


* [VeriSign Help Desk web site/™# 


The VeriSign web site provides an extensive library on digital certificates topics, 
as well as a number of other Internet security subjects. 


This IBM Redbook focuses on V5R1 network security enhancements. The 
redbook covers many topics including how to use iSeries object signing 
capabilities, Digital Certificate Manager (DCM), the 4758 Cryptographic 
Coprocessor support for SSL, and so forth. 


- [AS/400° Internet Security: Developing a Digital Certificate Infrastructure 
(SG24-5659) 


This redbook describes what you can do with digital certificates on the iSeries 
server. It explains how to set up the various servers and clients to use 
certificates. Further it provides information and sample code of how to use 
OS/400 APIs to manage and use digital certificates in user applications. 


¢ [RFC Index Search i 


This web site provides a searchable repository of Request for Comments (RFCs). 
RFCs describes the standards for Internet protocols, such as SSL, PKIX, and 
others that related to using digital certificates. 
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